BREACH NOTIFICATION AND HIPAA ENFORCEMENT

 

You have responsibilities to report breaches of unsecured PHI. To learn more about these requirements and HIPAA enforcement, visit Chapter 7 of the Guide [PDF - 323 KB]. CEs and BAs that fail to comply with the HIPAA Rules could face civil and criminal penalties.

 

Civil Penalties

 

The Office for Civil Rights (OCR) is able to impose civil penalties for organizations that fail to comply with the HIPAA Rules. The potential civil penalties are substantial. Your good faith effort to be in compliance with the HIPAA Rules is essential. State attorneys general also may bring civil actions and obtain damages on behalf of state residents for violations of the HIPAA Rules. 

 

Learn more about OCR’s HIPAA enforcement; HIPAA Privacy, Security, and Breach Notification Audit Program; and HIPAA Enforcement Rule.  

 

Criminal Penalties

 

The U.S. Department of Justice investigates and prosecutes criminal violations of HIPAA. Under HIPAA, the Justice Department can impose criminal penalties for:

 

• Knowing misuse of unique health identifiers 

• Knowing and unpermitted acquisition or disclosure of Protected Health Information (PHI)