Hospitals Should Review Their HIPAA Sanctions Policy
The Health Information Technology for Economic and Clinic Health (HITECH) Act changed the ballgame for sanctions related to HIPAA violations.
The Act provides a tiered system for assessing the level and penalty of each violation. CMS, which enforces the HIPAA Security Rule, and the Office for Civil Rights, which enforces the HIPAA Privacy Rule, can supersede the following limits, but with a cap of $50,000 per violation and $1.5 million for the calendar year for the same type of violation. The different tiers are:
- Tier A is for cases in which offenders didn't realize they violated the Act and would have handled the matter differently if they had
- Minimum per violation: $100
- Maximum per calendar year: $25,000
- Tier B is for violations "due to reasonable cause, and not to willful neglect," though HHS still must define "reasonable cause"
- Minimum per violation: $1,000
- Maximum per calendar year: $50,000
- Tier C is for infringements that the organization corrected, but were due to willful neglect
- Minimum per violation: $10,000
- Maximum per calendar year: $250,000
- Tier D is for violations due to willful neglect that the organization did not correct
- Minimum per violation: $50,000
- Maximum per calendar year: $1.5 million
How does the sanction structure look at your facility? HIPAA requires covered entities to have a structured sanction policy in place.
The American Health Information Management Association addressed handling breaches internally in a recent practice brief.
- CFO Exchange: Smartphones Poised to Disrupt Healthcare, Says Topol
- Consumerism Drives Healthcare Branding, Rebranding Efforts
- PA Ranks See 'Phenomenal Growth,' Lack of Diversity
- CNO on Hospital Redesign: 'You Can't Over-Communicate'
- 3 Traits Personality Assessments Can't Reveal
- How Digital Strategy Shapes Patient Engagement at Boston Children's Hospital
- Antibiotic Overuse a 'Huge Threat' to Patient Safety, Says CDC
- Half of All Primary Care, Internal Medicine Jobs Unfilled in 2013
- Carondelet to Pay $35M to Settle Fraud Allegations
- CHS Hacked, 4.5M Patient Records Compromised