HIPAA Security Risk Assessment

HIPAA Penalties and Enforcement

Civil penalties include fines of up to $1.5 million per violation, and additional fines can be applied if the violator fails to cooperate with investigators.  Civil enforcement of HIPAA is administered by the HHS Office for Civil Rights (OCR). 

Criminal penalties apply to the intentional misuse of health information for commercial or personal gain, or intentional harm.  Criminal penalties can include fines and imprisonment for up to 10 years. Criminal enforcement of HIPAA is conducted by the U.S. Department of Justice (DOJ). 

When first enacted, HIPAA did not include funding for enforcement, but the recently passed HITECH Act provided significant funding for audits and breach investigations. These changes have created a stricter regulatory environment, resulting in many more investigations and penalties. Failure to comply with HIPAA has cost healthcare organizations millions of dollars in fines. 

HIPAA Risk Assessment: 

There are more than 2,700,000 HIPAA individual organizations that are required by law to conduct a HIPAA Risk Assessment, including

• Hospitals; Urgent Care Clinics; Dental Offices; Nursing Homes;
• Behavioral Health Facilities; Diagnostic Labs; Correctional Facilities; Pharmacies;
• IT Service Providers;
• Shredding Companies; Documents Storage Companies;
• Attorneys;
• Accountants;
• Collection Agencies;
• EMR companies;
• Data Centers, Online Backup companies, and Cloud vendors;
• Insurance Agents;
• Revenue Cycle Management vendors;
• Contract Transcriptionists

Healthcare providers receive direct financial incentives for early EHR adoption and Meaningful Use against a series of established deadlines. Incentive programs are overseen by the Centers for Medicare & Medicaid Services.