Health Insurance Portability and Accountability Act
White Paper
|
October 2020 Enacted in 1996, The Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191 set the standard for medical professionals who handle electronic health records. The Department of Health and Human Services (HHS) ensures and enforces HIPAA compliance. HHS has mandated that healthcare organizations must enact data security action plans that specifically outline how records will be protected. Compliant plans must implement safeguards at the administrative, physical, technical and organizational level.
Monetary Penalties
The monetary penalty structure under section (a)(3) is applied in Tiers:
- Tier 1(did not have knowledge of violation): $100 to $50,000 per violation; capped at $25,000 per year
- Tier 2(reasonable cause exists): $1,000 to $50,000 per violation: capped at $100,000 per year
- Tier 3(willful neglect, corrected); $10,000 to $50,000 per violation: capped at $250,000 per year
- Tier 4(willful neglect, not corrected): $50,000 per violation; capped at $1.5 million per year
Sections 261 to 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information. The HHS assesses monetary penalties under 42 USC 1320d-5: General Penalty For Failure To Comply With Requirements and Standards.