Health Providers Facing Stiff HIPAA Regulations
Hefty Fines & Fuzzy Definitions
The new penalties for HIPAA violations are tiered based on
“reasonableness” or “willfulness”:
- $100 minimum per violation if the covered entity was unaware of the
violation and would not have known by exercising reasonable
diligence
- $1,000 minimum per violation resulting from a “reasonable
cause”
- $10,000 minimum per violation for “willful neglect” that
is corrected
- $50,000 minimum per violation for “willful neglect” that
is not corrected
Fines for multiple violations of an identical provision max out at
$1.5 million per calendar year. But attorneys say the definitions are
fuzzy. For example, in order to show that a violation resulted from a
“reasonable cause,” a covered entity would have to show that
it was unreasonable to comply with the rule, said Fehn.
“That’s going to be a tough standard,” said Fehn,
although she added that it might be possible to meet the standard if a
covered entity did everything right but the violation occurred because
of a rogue employee.
She also noted that while “willful neglect” could mean a
conscious intentional failure, it could also mean “reckless
indifference.” Such an interpretation should worry small health
care providers, many of whom do not have a policy in
place. “It’s a little fuzzy, and I would think a
little bit scary to small providers because that is the maximum
penalty. If you don’t have a policy, is that considered to
be reckless indifference? You could be on the hook for $1.5
million,” said Fehn.
Next: Breach
Notification Provisions
|
|
|
|
