OCR verifies the information collected. In some cases, it can be determined that the company concerned has not violated the requirements of the confidentiality and security rules. In the event of non-compliance, OCR will attempt to resolve the case with the relevant company by obtaining the following: For more information on the history and details of each HIPAA rule, please visit www.hhs.gov/hipaa/for-professionals/index.html and click on „Privacy“, „Security“ or „Breach Notification“ on the left toolbar. Since the introduction of the Information Technology Act (Section 13410(e)(1)) in February 2009, attorneys general have had the authority to hold HIPAA-insured companies accountable for exposing PSRs to state residents and to bring civil lawsuits in federal district courts. HIPAA penalties can be issued up to a maximum of $25,000 per violation category per calendar year. The minimum penalty is $100 per violation. Affected companies and business partners can only provide the necessary notifications if the breach involved insecure protected health information. Unsecured protected medical information is protected medical information that has not been rendered useless, illegible or indecipherable to unauthorized persons by the use of any technology or methodology specified by the Secretary in the instructions. The Health Insurance Portability and Accountability Act of 1996 imposed a number of requirements on HIPAA-insured businesses to protect patients` protected health information (PHI) and tightly control when PHI can be shared and to whom. If you violate HIPAA rules due to a lack of training, your employer is to blame because it is required by law to provide training „as necessary and appropriate for members of the workforce to perform their duties in a HIPAA-compliant manner“ (HIPAA Privacy Rule).
To avoid disputes as to whether adequate training was provided, employers must document the training offered, the date it was offered and the people who attended it. A fine can also be imposed on a daily basis. For example, if an affected company has denied patients the right to receive copies of their medical records and has done so for a period of one year, the OCR may decide to impose a penalty per day the covered entity violated the law. The penalty would be multiplied by 365, not by the number of patients who are denied access to their medical records. Affected businesses and business partners, where applicable, have the discretion to provide the necessary notices of violations as a result of improper use or disclosure without conducting a risk assessment to determine the likelihood that protected health information has been compromised. If a HIPAA-insured business partner violates HIPAA rules, civil penalties may be imposed. When healthcare professionals violate HIPAA, it is usually their employer who receives the penalty, but not always. If healthcare professionals knowingly receive or use protected health information for reasons not authorized by the HIPAA Privacy Rule, they may be held criminally liable for hipaa violation under the criminal enforcement provision of hipaa`s „Administrative Simplification“ subtitle. Affected companies must notify data subjects after a breach of unsecured protected health information has been detected. The undertakings concerned must submit this individual notification in writing by first-class post or, alternatively, by e-mail if the data subject has consented to receive such communications electronically. If the company concerned has insufficient or outdated contact information for 10 or more persons, the affected company must provide an individual replacement notice by publishing the notice on the home page of its website for at least 90 days or by making the notice available in the main print or audiovisual media where the persons concerned are likely to be located.
The affected company must provide a toll-free phone number that will remain active for at least 90 days so that individuals can know if their information was involved in the breach. If the affected company has insufficient or outdated contact information for fewer than 10 people, the target company may provide a replacement notice through another form of written notice, by telephone or otherwise. In the event of infringements for which the targeted entity does not satisfactorily resolve the issue, OCR may decide to impose civil fines (CMP) on the registered entity. The HIPAA Violation Notification Rule requires business partners to notify affected companies of a breach of protected health information in a timely manner. The aim of this regulation is for the companies concerned and their business partners to be proactive with regard to the safety of PHI. However, many business partners and even affected companies do not regularly assess the risk of their systems, resulting in violations and fines. Without regular, formal risk assessments, many business partners fail to identify the threats and potential legal and financial impact of fines for HIPAA non-compliance. After a long delay, OCR is now conducting the second phase of HIPAA compliance audits. Audits are not specifically performed to detect HIPAA violations and impose financial penalties, although financial penalties may be considered appropriate to detect serious HIPAA violations.