A few new (and sharper) teeth in HIPAA enforcement
Several valid criticisms of HIPAA since the Privacy Rule went into effect in 2003 concern lackluster efforts on enforcement of the rule’s requirements and insufficient penalties for non-compliance. The basic civil penalty for unintentional violation is just $100 per occurrence, with a maximum of $25,000 in a single calendar year. Statutory criminal penalties available under the law go as high as $250,000 and 10 years in jail in cases of intentional disclosure in knowing violation of the law. However, only four criminal cases have been brought by the Justice Department in the five years since covered entities have been bound by the law. What’s more, individuals harmed by HIPAA violations have no private right of action under HIPAA, and are limited to filing complaints with the HHS Office of Civil Rights (OCR), and it is up to the feds to determine if a violation has occurred and whether a suit should be brought against the party accused of violating HIPAA. OCR receives many complaints, but in part due to common misconceptions about what is and isn’t permitted under HIPAA, most of the complaints are not actually HIPAA violations, and formal investigations of alleged violations are quite rare.
The HITECH Act strengthens the potential enforcement of privacy compliance in a couple of important ways. The minimum and maximum civil and criminal penalties remain the same, but there is a tiered hierarchy of civil penalties based on the severity of the violation, and HHS is now required to make a formal investigation into any suspected violation involving “willful neglect” of the law. Individuals still have no private right of action, but state attorneys general are now empowered to bring suit on behalf of state residents who have been harmed by HIPAA violations. Perhaps most interestingly in a framework based on voluntary compliance, civil monetary penalties collected for HIPAA violations will now go to OCR to fund compliance and investigation activities, and HHS has been tasked to come up with a plan under which civil penalties may in the future be shared with the individuals harmed by violations who bring complaints. This last aspect will provide a financial incentive to individuals to report HIPAA violations; however, given the low likelihood that there will be widespread public understanding of the full requirements of the law, this provision may result in an increase of alleged violations for actions or practices that are not in fact contrary to the law.