We provide compliance evaluations and resolutions for medical facilities to ensure that all computer and email systems meet or exceed legal minimum requirements as defined by the Health Insurance Portability and Accountability Act of 1996, more commonly referred to as HIPAA. If your computer systems are not currently HIPAA-compliant, we will help you navigate the process to become so. Please contact us for further information regarding validation.

Please see the U.S. Department of Health & Human Services website’s pages regarding HIPAA for more details on the legislation.

HIPAA compliance can mean the difference between staying in business and having to shut down as a result of hefty fines. There are various tiers of penalty severity when it comes to HIPAA and email. The UC Davis Health System outlines the basics of non-compliance penalties thusly:

 

42USC1320d-5 General penalty for failure to comply with requirements and standards

 

(a) General penalty

 

(1) In general
Except as provided in subsection (b), the Secretary shall impose on any person who violates a provision of this part a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
* * *

42USC1320d-6 Wrongful disclosure of individually identifiable health information

 

(a) Offense

 

A person who knowingly and in violation of this part-

(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b).

 

(b) Penalties

 

A person described in subsection (a) shall-

(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;
(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both;
(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.