Government regulations constantly push physicians to balance patient interest and privacy concerns. A failure to navigate this balance can result in allegations of privacy violations. These violations can come with a steep penalty. Fortunately for medical professionals, that penalty will soon change.
First, some history: The United States Department of Health and Human Services (HHS) manages Health Insurance Portability and Accountability Act of 1996 (HIPPA) and Health Information Technology for Economic and Clinical Health Act (HITECH) violations. The agency recently released a publication to notify the public that it will exercise its discretion on how it regulates financial penalties for violations.
HITECH guides financial penalties. This law breaks HIPAA violations into four categories:
- Tier 1 — unintentional violations. Penalty could range from $100 to $50,000 per violation.
- Tier 2 — violation was result of reasonable cause, not willful neglect. Penalty could range from $1,000 to $50,000 per violation.
- Tier 3 — willful neglect, but corrected in a timely manner. Penalty ranges from $10,000 to $50,000 per violation.
- Tier 4 — willful neglect and not corrected in a timely manner. Penalty set at $50,000 per violation.
When lawmakers first passed the law in 2009, the penalty violation was set at a limit of $1.5 million per year. This was true regardless of the tier of the violation.
What will change? Lawmakers have changed the annual limit to reflect the tier of the violation. In 2019, the limit will change to $25,000 for a Tier 1 violation, $100,000 for a Tier 2 violation, $250,000 for a Tier 3 violation and $1.5 million for a Tier 4 violation.