Can I Be Sued for a HIPAA Violation?

I am asked that question almost weekly. While the answer has traditionally been “no,” the legal landscape is shifting and the risk of being sued continues to increase. Let’s first start with some background. As some of you may know, HIPAA does not include a “private right of action.” This means that an individual may not file a claim against a covered entity or a business associate in order to enforce HIPAA or seek damages in response to a HIPAA violation. For example, a patient is not able to sue a dentist if the dentist fails to distribute a Notice of Privacy Practices or enter into a business associate agreement….

READ MORE

The Reality of HIPAA Violations and Enforcement

Who is ultimately responsible for enforcement of HIPAA and what types of penalties are levied when a covered entity or business associate is found to be non-compliant with the regulations? Many healthcare offices and their staff don’t know the answer to this question; they have only a vague notion about the enforcement and the consequences of not adhering to the law. The real HIPAA enforcement agency is the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Complaints are filed with the OCR, and they are responsible for administering, investigating and enforcing the HIPAA privacy standards. The Centers for Medicare & Medicaid (CMS) enforce the code…

READ MORE

HIPAA Final Rule: Enforcement–Factors for Determining Civil Money Penalties for HIPAA Violations

February 25, 2013.  Today, we examine factors considered in determining the amount of a civil money penalty for a HIPAA violation that are modified in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013. The Department of Health and Human Services (HHS) identified “five general factors”…

READ MORE