Civil and Criminal Enforcement of HIPAA Privacy and Security Regs on the Rise

George Indest Headshot

Attorney George F. Indest III, The Health Law Firm

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The Office of Civil Rights (OCR), a division within the U.S. Department of Health and Human Services (HHS), is the federal organization responsible for investigating complaints and enforcing the Privacy and Security Regulations implementing the Health Insurance Portability and Accountability Act, commonly referred to as “HIPAA.”

As the COVID-19 pandemic seems to be leveling off and more employees are going back to the office, and into the field, HIPAA complaint investigations will definitely pick up. Furthermore, criminal prosecutions for violations of HIPAA have recently been on the rise as well.

OCR’s Investigations and Enforcement Actions.

OCR enforces the HIPAA Privacy and Security Regulations in several ways:

The first method it has is the receiving and investigating of HIPAA violation complaints. These can easily be filed online by going to https://www.hhs.gov/hipaa/filing-a-complaint/.

If you receive a notice from the OCR that it is investigating a HIPAA complaint against you, it will request a large number of various documents relating to the matter. It is crucial that you retain the services of an experienced health lawyer to assist you in responding. Often, it will not be necessary to provide all of the documents requested by OCR, if your attorney determines that certain legal grounds exist for avoiding this. Regardless, you should seek legal counsel, anyway, since both criminal and civil sanctions may result.

OCR Also Conducts Compliance Audits.

OCR conducts compliance reviews to determine if covered entities are in compliance. Covered entities include, for example, physicians, medical groups, nurse practitioners (in most cases), psychologists, mental health counselors (in most cases), pharmacists, health clinics (in most cases), assisted living facilities (ALFs), home health agencies (HHAs), hospitals, and many others.

OCR reviews the information that it gathers through its investigation or audit. In some cases, it may determine that the covered entity did not violate the Privacy Regulations or the Security Regulations. However, in the case of the covered entity’s violation, OCR may do any of the following:

Dismissing the matter or taking no further action.

Obtaining the Covered Entity’s agreement for voluntary compliance going forward.

Obtaining corrective action through a corrective action plan (CAP).

Negotiating a resolution agreement (RA).

Assessment of civil penalties (monetary fines).

Referral to the Department of Justice (DOJ) for further investigation and criminal prosecution.

Civil Violations.

In cases of noncompliance where the covered entity does not satisfactorily resolve the matter, OCR may decide to impose civil money penalties (CMPs) on the covered entity. It can then take further administrative or civil litigation action to enforce these if they are not paid.

Civil monetary penalties for HIPAA violations are determined based on a tiered civil penalty structure. The HHS secretary has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. HHS is prohibited from imposing civil monetary penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended at HHS’s discretion). So it is imperative to retain an attorney and get on top of the situation fast.

The range of penalties for civil violations.

HIPAA violation: Unknowing
Penalty range: $100 – $50,000 per violation, with an annual maximum of $25,000 for repeat violations

HIPAA violation: Reasonable Cause
Penalty range: $1,000 – $50,000 per violation, with an annual maximum of $100,000 for repeat violations

HIPAA violation: Willful neglect but corrected (violation is corrected within the required time period)
Penalty range: $10,000 – $50,000 per violation, with an annual maximum of $250,000 for repeat violations

HIPAA violation: Willful neglect, not promptly corrected (violation is not corrected within the required time period)
Penalty range: $50,000 per violation, with an annual maximum of $1.5 million

Criminal penalties for violations.

In June 2005, DOJ clarified who can be held criminally liable under HIPAA. Its clarification included officers, employees, and other principles of business entities (corporations and companies) that are covered entities, including co-conspirators, aiders, and abettors of the acts.

Criminal violations of HIPAA are investigated and prosecuted by DOJ. As with the civil penalties, there are different criminal penalties based on the level of severity of the criminal violation.

Covered entities and specified other individuals who knowingly obtain or disclose individually identifiable health information, in violation of the Administrative Simplification Regulations to the HIPAA Regulations, face a fine of up to $50,000, as well as imprisonment for up to one (1) year.

Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five (5) years in prison.

Finally, offenses committed with a profit motive, in other words, with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm permit fines of $250,000 and imprisonment up to ten (10) years.

What is a “Covered Entity?”

One thing to remember is that HIPAA and its enforcing regulations only apply to “covered entities” with certain minor exceptions. The following are examples of “covered entities”:

Health plans (e.g., health insurers, HMOs, PPOs)

Health care clearinghouses

Health care providers who transmit claims in electronic form (this will cover almost all health facilities and health professionals)

Medicare prescription drug card sponsors

Individuals such as directors, employees, or officers of a covered entity (where the covered entity is not an individual) may criminally liable under HIPAA per the “corporate criminal liability” theory.

 

Criminal Penalties for HIPAA Violations.

Yes, there are criminal penalties, including prison for up to ten (10) years, possible for HIPAA violations.

To read an earlier blog I wrote on criminal penalties for HIPAA violations, please click here.

What is the Definition of “Knowingly?”

The DOJ interprets the required element of “knowingly” in the criminal liability section of HIPAA as requiring only knowledge of the actions that constitute an offense. Specific knowledge that an action is a violation of HIPAA is not required.

Can a HIPAA Violation Lead to Exclusion from the Medicare Program?

HHS has the authority to exclude from participation in Medicare any covered entity that was not compliant with certain HIPAA Regulations under certain circumstances. Call your healthcare lawyer for details on this.

For information on the effects of exclusion from any government-sponsored healthcare program on a doctor, nurse, dentist, or any other health provider, visit our website’s Health Law Articles and Documents page to view the OIG’s Special Advisory Bulletin.

 

The Administrative Simplification Act Simplifies it All.

The Administrative Simplification Act sought to clarify and simplify parts of HIPAA and increase specific penalties for violations. Title 42, United States Code, Chapter 7, Subchapter XI, Part C (Administrative Simplification Act).

The Administrative Simplification Regulations authorize a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm permits fines of $250,000 and imprisonment for up to 10 years.

Misuse and Disclosure of “Unique Health Identifiers.”

The wrongful use of a unique health identifier can be charged as a violation of 42 U.S.C. § 1320d–6(a)(1) and (b)(1)), the penalty provision of which is set forth in 42 U.S.C. § 1320d–6(b)(1). “Unique health identifier” includes a patient’s name, address, social security number, insurance member ID number, description of health history, and description of the patient’s symptoms.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals, and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free: (888) 331-6620.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620 Toll-Free: (888) 331-6620.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999. Copyright © 2021 The Health Law Firm. All rights reserved.

How Criminal Charges Can Affect Your Professional Medical License

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Every health care provider knows that their license to practice can be disciplined for misconduct on the job. However, many are surprised to learn that they can also be disciplined for actions including criminal charges that occur outside their professional lives.  A criminal conviction for a felony or misdemeanor that is not directly related to their profession can still result in discipline.

Criminal Charges Do Impact Professional Licenses.

Licensing authorities are charged with protecting the general public, not the individuals they regulate. Most health care practitioner practice acts include criminal convictions as one of the grounds for the denial or discipline of a professional license. Some of those acts (for example, Florida) allow the disciplinary authority to impose discipline upon a conviction even when adjudication is withheld.

These authorities can and do impose discipline based upon the facts underlying a conviction, even when the conviction itself is not directly related to the practice of a profession.  For example, a conviction for driving under the influence (DUI) or reckless driving can raise the question of whether the practitioner could be impaired or reckless while providing patient care.  The licensing authority will most likely investigate these matters and the facts underlying the offense to determine if the practitioner poses a threat to the public.

Therefore, if you have been arrested for DUI, disorderly conduct, assault, or any other misdemeanor, you can anticipate that the state, the Department of Health (DOH) or the Department of Licensing and Regulatory Affairs will start an investigation. It is imperative that you retain an attorney who can immediately defend your freedom during your criminal case and also protect your livelihood during licensing proceedings.


Conviction of Felony or Misdemeanor Charges May Lead to Suspension of Professional License.

In the event of a conviction, in many cases, this may trigger a report to the state licensing board.  In Florida, for example, a physician or other licensed health professional who is required to have a practitioner profile must update that profile with the information about the conviction within 15 days.  In Florida, a physician or other licensed health professional must also notify his or her licensing board for the Department of Health (when there is no board), in writing, within 30 days.

If you are facing felony or misdemeanor charges, it is imperative that you seek the advice and experience of an attorney who can navigate the criminal and administrative courts and get you the best possible result to protect your freedom and livelihood. Remember, your profession is often your only means of support.

Practitioners who have been arrested generally want their criminal cases resolved as quickly and quietly as possible.  Unfortunately, they may inadvertently accept a plea arrangement that results in severe discipline or revocation of their license.  All health care providers and their criminal attorneys should consider the consequences to the practitioner’s license before accepting a plea arrangement and should consult with an experienced health law attorney. Click here to read one of our prior blogs for more information on this.

Contact Health Law Attorneys Experienced in Handling Licensure Matter and Disciplinary Matters.

If you have been arrested, it is strongly recommended that you retain an experienced health care attorney who can advise you and your criminal counsel as to the effects a potential outcome could have on your license.

The Health Law Firm routinely represents physicians, pharmacists, nurses, and other healthcare practitioners in licensure matters.  We frequently consult with criminal defense attorneys regarding defense strategies tailored to minimizing criminal sanctions while at the same time preserving the practitioner’s license.

To contact The Health Law Firm please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

KeyWords: Health care license defense representation, professional licensure defense, representation for professional license suspension, reporting physician arrests and convictions, health care licensure defense attorney, medical license defense attorney, physician defense lawyer, representation for physician criminal charges, representation for nurse criminal charges, representation for dentist criminal charges, Department of Health (DOH) conviction, misdemeanor offenses physicians, legal representation for Supersedeas Relief, Department of Health (DOH) investigation, DOH representation, DOH attorney, DOH investigation representation, DOH defense lawyer, representation for license suspension, license revocation attorney, representation for license revocation, health care license defense attorney, representation for health care license, representation for health care professionals, representation for administrative hearings, representation for administrative appeals, The Health Law Firm reviews, reviews of The Health Law Firm attorneys, Florida health law defense attorney

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999. Copyright © 2018 The Health Law Firm. All rights reserved.

Go to Top