Monday, May 07, 2007

HIPAA / HIPAA Penalties

I was asked a couple of questions regarding my post Security - Making information secure. What is HIPAA? And Is a HIPAA violation that serious?

So, here is a good definition of what HIPA.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services' (CMS) website,
Title II of HIPAA, the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
The provision also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the US health care system. (

violation penalties (HIPAA)
42 USC 1320d-6 (HIPAA Sec. 1177) contains the criminal penalties for violating the HIPAA privacy standards. It states:
"a. Offense.—
A person who is in violation of this part—
1. uses or causes to be used a unique health identifier;
2. obtains individually identifiable health information relating to an individual; or
3. discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b).
b. Penalties.—
A person described in subsection (a) shall—
1. be fined not more than $50,000, imprisoned not more than 1 year, or both;
2. if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
3. if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both."

So… Do you think that they are serious??? By the way, that is per incident – 2.9 million incidents.

No comments: