Data breaches are a problem for every company, including medical practices. Cybercriminals are constantly finding new ways to hack into private servers to steal data. Because medical files contain private information that criminals can exploit for personal gain, medical practices are a prime target for cybercriminals. For patients and physicians, data breaches can be very costly.
In this article, our New York doctors’ criminal defense attorney discusses some of the liability issues faced by physicians after a data breach.
What Information Is Protected?
Personal health information (PHI) includes a person’s past, present and future health care information, including the payment for health care treatment. PHI may also include Individually Identifiable Health Information which includes a combination of health information about the patient along with information that could identify a person, such as a person’s name, telephone number, address, and Social Security number.
Federal and state laws protect a patient’s information. In this blog, we are discussing HIPAA’s privacy rule, security rule, and breach notification rule.
What is the HIPAA Privacy Rule?
HIPAA requires that certain entities and their business associates protect PHI and other personal information. The privacy rule applies to health plans, health care clearinghouses, and health care providers. Health care providers have a duty to maintain the privacy of a patient’s record. The HIPAA rules dictate when and how a patient’s health and personal information may be used or disclosed.
What is the HIPAA Security Rule?
The security rule specifies safeguards that health care providers must use to secure the confidentiality of electronic PHI records. Providers must also ensure the integrity and availability of electronically stored PHI. Each practice must analyze the risks to PHI and develop a plan that reasonably and appropriately protects the data. The specific factors of the practice typically dictate whether security measures comply with HIPAA security rules.
What is the HIPAA Breach Notification Rule?
The HIPAA breach notifications require that health care providers notify individuals within 60 days following the discovery of a data breach. The rule requires notification to the affected individuals, HHS, and the media in some cases. For breaches impacting less than 500 individuals, the provider may submit an HHS report annually.
Criminal and Civil Penalties for Data Breaches
Physicians can be held liable for violating HIPAA rules related to the security of PHI and other covered data. Federal fines for HIPAA violations vary per violation and have an annual maximum penalty of $1.5 million for each violation.
Data breach violations are separated into four tiers as follows:
- First Tier – Breaches that the physician did not know about or could not have reasonably known about. Fines range from $100 to $50,000 per incident up to the maximum amount.
- Second Tier – Breaches in which the physician did not act with willful intent, but knew of the breach or could have discovered the breach through due diligence. Fines range from $1,000 to $50,000 per incident up to the maximum amount.
- Third Tier – Breaches in which the physician acted with willful neglect, but corrected the violation within 30 days. Fines range from $10,000 to $50,000 per incident up to the maximum amount.
- Fourth Tier – The physician acted with willful neglect and failed to correct the violation promptly. Fines in this tier are $50,000 per incident up to the maximum amount.
In addition to fines, jail time could also be ordered for criminal violations of HIPAA rules.
Breach of Privacy Lawsuits on the State Level
Even though HIPAA does not provide a means for patients to sue physicians in federal court for damages, some state laws may allow for lawsuits on the state level. Invasion of privacy, breach of doctor-patient confidentiality, and other civil lawsuits could result in substantial civil liability for physicians who data is breached. Damages awarded in a civil lawsuit would be in addition to any fines or criminal penalties assessed under HIPAA.
New York Physician Criminal Defense Attorney Assists Physicians with Data Security Issues
If you have questions about data security issues or you are facing a criminal or civil matter related to a data breach, schedule a consult with New York criminal defense attorney Mark J. Sacco today to discuss your legal options and defense strategies. Your best chance of defending yourself and your practice from charges is to engage an experienced attorney as quickly as possible to begin formulating defenses to the allegations
Posted in: Criminal Defense