The HIPAA Privacy Rule (45 CFR Parts 160 and 164) provides the “federal floor” of privacy protection for health information in the United States, while allowing more protective (“stringent”) state laws to continue in force. Under the Privacy Rule, protected health information (PHI) is defined very broadly. PHI includes individually identifiable health information related to the past, present or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Even the fact that an individual received medical care is protected information under the regulation.
The Privacy Rule establishes a federal mandate for individual rights in health information, imposes restrictions on uses and disclosures of individually identifiable health information, and provides for civil and criminal penalties for violations. The complementary Security Rule includes standards for protection of health information in electronic form.
Penalties for violations of privacy.
The Privacy Rule includes both civil and criminal penalties for violations of privacy. Generally, penalties are expected to be assessed in cases where organizations or individuals act with willful neglect or intent to cause harm. Civil penalties are specified at $100 per violation, not to exceed $25,000 per person per year for identical violations. Criminal penalties for wrongful disclosure of PHI can go up to $250,000 and/or 10 years imprisonment if the offense is committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.