Penalties for violating HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule set national standards requiring organizations and individuals to implement certain administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of protected health information (PHI).
Failure to comply with HIPAA requirements can result in civil and criminal penalties, as well as progressive disciplinary actions through Indiana University, up to and including termination. These civil and criminal penalties can apply to both covered entities and individuals.
Section 13410(D) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act by establishing:
- Four categories of violations that reflect increasing levels of culpability
- Four corresponding tiers of penalties that significantly increase the minimum penalty amount for each violation
- A maximum penalty amount of $1.5 million for all violations of an identical provision
| Civil monetary penalties | |
|---|---|
| Tier | Penalty |
1. Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.
|
$100-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
|
2. The HIPAA violation had a reasonable cause and was not due to willful neglect.
|
$1,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
|
3. The HIPAA violation was due to willful neglect but the violation was corrected within the required time period.
|
$10,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
|
4. The HIPAA violation was due to willful neglect and was not corrected.
|
$50,000 or more for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
|
| Criminal penalties | |
| Tier | Potential jail sentence |
Unknowingly or with reasonable cause
|
Up to one year |
| Under false pretenses | Up to five years |
For personal gain or malicious reasons
|
Up to ten years |
To report a HIPAA violation, you can use the Complaint Portal Assistant on the US Department of Health and Human Services Office for Civil Rights (OCR) website. If you have questions, you may contact the OCR toll free at 800-368-1019 (TDD: 800-537-7697). For additional contact information, see the OCR's Contact Us page.
If you have questions about securing HIPAA-regulated research data at IU, email securemyresearch@iu.edu. SecureMyResearch provides self-service resources and one-on-one consulting to help IU researchers, faculty, and staff meet cybersecurity and compliance requirements for processing, storing, and sharing regulated and unregulated research data; for more, see About SecureMyResearch. To learn more about properly ensuring the safe handling of PHI on UITS systems, see the UITS IT Training video Securing HIPAA Workflows on UITS Systems. To learn about division of responsibilities for securing PHI, see Shared responsibility model for securing PHI on UITS systems.
For more, see:
- UITS Research Technologies systems and services for researchers working with data containing HIPAA-regulated PHI
- Your legal responsibilities for protecting data containing protected health information (PHI) when using UITS Research Technologies systems and services
- About dedicated file storage services and IT services with storage components appropriate for sensitive institutional data, including research data containing protected health information
This is document ayzf in the Knowledge Base.
Last modified on 2023-08-16 13:09:19.