Time was when violating the Health Insurance Portability and Accountability Act got you little more than a warning letter from the U.S. Department of Health and Human Services.
The HITECH Act also replaced the aforementioned warning letters with mandatory fines for violations. The most serious of these-those classified as "willful neglect"-include breaches of unsecured protected health information (PHI), and can carry penalties of up to $1.5 million.
A second-tier violation is where most physicians would most likely find themselves, and the fines for those are $1,000 per violation. Fines can go as high as $25,000 per violation, and can be levied for multiple incidents. In short, HIPAA violations can really add up.
HHS defines a PHI breach as "an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual."
Three types of incidents can trigger a HIPAA audit. (A random audit also is possible, although the odds are fairly low given the number of physicians in the United States compared to the number of HIPAA auditors.)
When applying for the incentives, physicians must explain how their practice meets HIPAA compliance requirements. The EHR must be certified as HIPAA-compliant, as must all the physician's policies and procedure manuals, employees need to undergo appropriate training, and all annual audits must be documented.