Ama hipaa violations and enforcement

7/19/2020 HIPAA violations & enforcement | American Medical Association

https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement 1/6

HIPAA

HIPAA violations & enforcement

DEC 6, 2019

U.S. Department of Health and Human Services (HHS) O�ce for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules.

OCR enforces the Privacy and Security Rules in several ways:

Investigating complaints �led with it Conducting compliance reviews to determine if covered entities are in compliance Performing education and outreach to foster compliance with the rules' requirements

OCR reviews the information that it gathers. In some cases, it may determine that the covered entity did not violate the requirements of the Privacy and Security Rules. In the case of noncompliance, OCR will attempt to resolve the case with the covered entity by obtaining:

Voluntary compliance Corrective action and/or Resolution agreement

Failure to comply with HIPAA can also result in civil and criminal penalties. If a complaint describes an action that could be a violation of the criminal provision of HIPAA, OCR may refer the complaint to the Department of Justice (DOJ) for investigation.

Join / RenewMENU

Enter Search Term

https://www.ama-assn.org/practice-management/hipaa
https://www.ama-assn.org/#facebook
https://www.ama-assn.org/#twitter
https://www.ama-assn.org/#linkedin
https://www.ama-assn.org/#email
https://www.ama-assn.org/
https://member.ama-assn.org/join-renew
https://member.ama-assn.org/join-renew
7/19/2020 HIPAA violations & enforcement | American Medical Association

https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement 2/6

Civil violations In cases of noncompliance where the covered entity does not satisfactorily resolve the matter, OCR may decide to impose civil money penalties (CMPs) on the covered entity.

CMPs for HIPAA violations are determined based on a tiered civil penalty structure. The secretary of HHS has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. The secretary is prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended at HHS’ discretion).

Penalties for civil violations HIPAA violation: Unknowing Penalty range: $100 - $50,000 per violation, with an annual maximum of $25,000 for repeat violations

HIPAA violation: Reasonable Cause Penalty range: $1,000 - $50,000 per violation, with an annual maximum of $100,000 for repeat violations

HIPAA violation: Willful neglect but violation is corrected within the required time period Penalty range: $10,000 - $50,000 per violation, with an annual maximum of $250,000 for repeat violations

HIPAA violation: Willful neglect and is not corrected within required time period Penalty range: $50,000 per violation, with an annual maximum of $1.5 million

Criminal penalties Criminal violations of HIPAA are handled by the DOJ. As with the HIPAA civil penalties, there are di�erent levels of severity for criminal violations.

Covered entities and speci�ed individuals, as explained below, who "knowingly" obtain or disclose individually identi�able health information, in violation of the Administrative Simpli�cation Regulations, face a �ne of up to $50,000, as well as imprisonment up to 1 year.

7/19/2020 HIPAA violations & enforcement | American Medical Association

https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement 3/6

O�enses committed under false pretenses allow penalties to be increased to a $100,000 �ne, with up to 5 years in prison.

Finally, o�enses committed with the intent to sell, transfer or use individually identi�able health information for commercial advantage, personal gain or malicious harm permit �nes of $250,000 and imprisonment up to 10 years.

Covered entities Criminal penalties for HIPAA violations are directly applicable to covered entities (CE) including:

Health plans Health care clearinghouses Health care providers who transmit claims in electronic form Medicare prescription drug card sponsors

Individuals such as directors, employees or o�cers of the CE (where the CE is not an individual) may also be directly criminally liable under HIPAA in accordance with "corporate criminal liability." Where an individual of a CE is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.

Interpreting “knowingly” The DOJ interpreted the "knowingly" element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitute an o�ense. Speci�c knowledge of an action being in violation of the HIPAA statute is not required.

Exclusion from Medicare HHS has the authority to exclude from participation in Medicare any CE that was not compliant with the transaction and code set standards by Oct. 16, 2003 (where an extension was obtained and the CE is not small) (68 FR 48805).

HIPAA enforcement

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html
7/19/2020 HIPAA violations & enforcement | American Medical Association

https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement 4/6

HIPAA security rule compliance Top tips for physicians (PDF)

This resource is provided for informational and reference purposes only and should not be construed as the legal advice of the American Medical Association. Speci�c legal questions regarding this information should be addressed by one's own counsel.

Table of Contents

More about: HIPAA

RELATED CONTENT

How to maintain momentum on telehealth after COVID-19 crisis ends

The 12 factors that drive up physician burnout

Need help paying for telehealth? $200 million FCC fund could help

FEATURED STORIES

https://cme.ama-assn.org/Activity/2217925/Detail.aspx
https://www.ama-assn.org/system/files/corp/media-browser/premium/washington/hipaa-toolkit_0.pdf
https://www.ama-assn.org/topics/hipaa
https://www.ama-assn.org/practice-management/digital/how-maintain-momentum-telehealth-after-covid-19-crisis-ends
https://www.ama-assn.org/practice-management/physician-health/12-factors-drive-physician-burnout
https://www.ama-assn.org/practice-management/digital/need-help-paying-telehealth-200-million-fcc-fund-could-help
7/19/2020 HIPAA violations & enforcement | American Medical Association

https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement 5/6

Membership Moves Medicine™

PUBLIC HEALTH

How to ensure PPE access in pandemic? AMA o�ers 10-step road map

RESIDENCY

2020 vision: 4 ways residency has changed in the new millennium

SUSTAINABILITY

How physician practice reopening is going in 6 states

Free access to JAMA Network™ and CME Save hundreds on insurance Fight for physicians and patient rights

Join the AMA today

https://www.ama-assn.org/
https://www.ama-assn.org/delivering-care/public-health/how-ensure-ppe-access-pandemic-ama-offers-10-step-road-map
https://www.ama-assn.org/residents-students/residency/2020-vision-4-ways-residency-has-changed-new-millennium
https://www.ama-assn.org/practice-management/sustainability/how-physician-practice-reopening-going-6-states
https://member.ama-assn.org/join-renew/
7/19/2020 HIPAA violations & enforcement | American Medical Association

https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement 6/6

The AMA promotes the art and science of medicine and the betterment of public health.

AMA Contact Us Download AMA Connect app for iPhone or Android

AMA Careers Events Press Center AMA Alliance

AMPAC AMA Foundation

The best in medicine, delivered to your mailbox

Email Address

JAMA NETWORK™ | FREIDA™ | AMA ED HUB™ | COVID-19 RESOURCES | AMA JOURNAL OF ETHICS® | CPT® | STORE | AMA PHYSICIAN PROFILES | PHYSICIAN JOB LISTINGS

Terms of Use | Privacy Policy | Code of Conduct | Website Accessibility

Copyright 1995 - 2020 American Medical Association. All rights reserved.

Subscribe

I verify that I’m in the U.S. and agree to receive communication from the AMA or third parties on behalf of AMA.

https://www.facebook.com/AmericanMedicalAssociation
https://twitter.com/AmerMedicalAssn
https://www.linkedin.com/company/american-medical-association
https://www.youtube.com/user/AmerMedicalAssn
https://www.instagram.com/amermedicalassn/
https://www.ama-assn.org/form/contact-us
https://itunes.apple.com/app/ama-connect/id1355068050?uo=5&at=10l9yE
https://www.ama-assn.org/store/apps/details?id=org.ama_assn.AMAConnect
https://www.ama-assn.org/about-ama/ama-career-opportunities
https://www.ama-assn.org/events
https://www.ama-assn.org/press-center
https://www.amaalliance.org/
http://www.ampaconline.org/
https://amafoundation.org/
https://jamanetwork.com/
https://freida.ama-assn.org/Freida/#/
https://edhub.ama-assn.org/
https://www.ama-assn.org/delivering-care/public-health/covid-19-2019-novel-coronavirus-resource-center-physicians
https://journalofethics.ama-assn.org/home
https://www.ama-assn.org/practice-management/cpt
https://commerce.ama-assn.org/store/
http://www.amaprofileshub.org/
https://careers.jamanetwork.com/
https://www.ama-assn.org/general-information/general-information/terms-use
https://www.ama-assn.org/general-information/general-information/privacy-policy
https://www.ama-assn.org/general-information/general-information/code-conduct
https://www.ama-assn.org/general-information/general-information/accessibility-statement