HIPAA
Health Insurance Portability & Accountability Act

General Civil Penalty for Failure to Comply
▪ $100/violation/person

▪ Not to exceed $25,000 in one calendar year

Criminal Penalties (Privacy)

Person who knowingly and wrongfully discloses individually identifiable health information is subject to fines and imprisonment
  ▪ Simple offense - up to $50,000 and/or 1 year imprisonment

  ▪ If committed under false pretenses - up to $100,000 and/or 5 years imprisonment

  ▪ If committed with intent to sell, transfer, or use individual identifiable health information for commercial advantage, personal gain, or
  malicious harm - up to $250,000 and/or 10 years imprisonment

Compliance Deadlines

Most entities have 24 months from the effective date of the final rules to achieve compliance.

Normally, the effective date is 60 days after a rule is published.

The Transactions Rule was published on August 17, 2000; the compliance date for that rule is October 16, 2003.

The Privacy Rule was published on December 28, 2000, but due to a minor glitch didn’t become effective until April 14, 2001. Compliance with the Privacy Rule was required as of April 14, 2003.

The final Security Rule was published April 21, 2003, with compliance required as of April 21, 2005. The final Standard Unique Employer Identifier was published on May 31, 2002. Compliance is required by July 30, 2004. Final standards for Provider and Health Plan Identifiers have not yet been published.