The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Ruleand the HIPAA Security Rule.
The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, established national standards for the protection of certain health information. The Security Rule, or Security Standards for the Protection of Electronic Protected Health Information, established a national set of security standards for protecting certain health information that is held or transferred in electronic form.
The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy Rule, while the Centers for Medicare & Medicaid (CMS) has responsibility for enforcing the Security Rule, both perform voluntary compliance activities and can impose civil money penalties.
The Security Rule does not expressly prohibit the use of email for sending electronic PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access to electronic PHI sent and received over email communications.
The standard for transmission security (§ 164.312(e)) has been updated to enforce the use of encryption. This means that each covered entity must assess its use of open networks, identify the available and appropriate means to protect electronic PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for electronic PHI to be sent over an electronic open network as long as it is adequately protected.
In 2010, the HITECH Act (Health Information Technology for Economic and Clinical Health) went into effect, amending the HIPAA Privacy and Security Rules. One of the most notable changes is in the penalties for a breach of patient information as a violation of patients’ rights under HIPAA. When HIPAA was first enacted, the maximum penalty for a HIPAA violation was $250,000. Now, the maximum penalty is $1.5 million.
In 2013, HHS and OCR announced a final rule that implements a number of provisions of the HITECH Act called the Omnibus Rule, to strengthen the privacy and security protections for health information established under HIPAA. The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.
Fines as well as criminal penalties can be imposed on the violating institution and the individuals involved. The State Attorney General in all states now have the power to audit and penalize covered entities in their home state. For more information on penalties associated with email breach and non-compliance.
Penalties for Non-Compliance
The United States Department of Health and Human Services (HHS) may impose civil and criminal penalties for non-compliance. There are 4 tiers of civil penalties and we will break down what the email breach penalties are.
If you had absolutely no idea that you needed HIPAA compliant email. This is very hard to prove but there are some folks out there that think sending PHI over a non-compliant email service is OK. HHS may give you a warning if you are lucky. Otherwise, you will be fined $100 per email that contains PHI or a maximum of $25,000 per year. At its discretion, it may increase the maximum fine up to $50,000 per year. It’s typically a slap on the hand and you will most likely not be charged with criminal penalties.
If you are aware that you need HIPAA compliant email, but yet you still continue to use non-compliant email to send PHI. HHS will fine you $1,000 per email containing PHI or a maximum of $10,000 per year and may refer your case to the Department of Justice (DOJ) where they can press charges against you for wrongful disclosure of individual identifiable health information. In addition to civil penalties, DOJ will fine you up to $50,000 and up to 1 year in prison.
If you use a HIPAA Compliant Email service but you do not follow its policies and best practice procedures, this is considered willful neglect. Meaning you understand what you are supposed to do per the instructions of the compliant email service provider, but yet you choose not to do it. An example of this would be forwarding emails to a non-compliant email service or vice versa. Or refusal to use supported email software or devices to make your email communications secure and compliant. HHS will fine you $10,000 per email containing PHI or a maximum of $100,000 per year only if you are willing to correct your situation and may refer your case to the Department of Justice (DOJ) where they can press charges against you for wrongful disclosure of individual identifiable health information. In addition to civil penalties, DOJ will fine you up to $100,000 and up to 5 years in prison.
Identical to tier 3 except you refuse to correct your situation even after being warned by HHS. This is the most severe case where you are willfully neglecting HIPAA compliant requirements. HHS will fine you $50,000 per email containing PHI or a maximum of $1.5 million per year and may refer your case to the Department of Justice (DOJ) where they can press charges against you for wrongful disclosure of individual identifiable health information. In addition to civil penalties, DOJ will fine you up to $250,000 and up to 10 years in prison.