HIPAA Violations in Colorado Can Incur Serious Punishments

5571 darken lighten center w skin softBy Carole. C. Schriefer, R.N., J.D.

The Health Insurance Portability and Accountability Act (HIPAA) is a well known Federal regulation among Colorado health care professionals. However, did you know that not complying with HIPAA mandates can cost you thousands of dollars in fines? Did you know that non-compliance could land you behind bars? Health care professionals and facilities across Colorado should be aware of these legal provisions.

Don’t Become a White Collar Criminal.

In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, who “knowingly” obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to 10 years.

HIPAA Violations Can Cost Big Bucks.

The “American Recovery and Reinvestment Act of 2009”(ARRA), that was signed into law in 2009, establishes a tiered civil penalty for HIPAA violations. The Secretary of the Department of Health and Human Services (DHHS) still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. However, the Secretary is still prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended).

The following outlines the ARRA tiered civil penalty structure for HIPAA violations:


Individual did not know that he/she violated HIPAA and by exercising reasonable diligence, would not have known.
Minimum Penalty: $100 per violation, with an annual maximum of
$25,000 for repeat violations. Note: This is the maximum penalty that can be imposed by the State Attorney General regardless of the violation.
Maximum Penalty: $50,000 per violation, with an annual maximum of $1.5 million.

HIPAA violation due to reasonable cause and not due to  willful neglect.
Minimum Penalty: $1,000 per violation, with an annual maximum of $100,000 for repeat violations.
Maximum Penalty: $50,000 per violation, with an annual maximum of $1.5 million.

HIPAA violation due to willfull neglect but violation is corrected within the required time period.
Minimum Penalty: $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
Maximum Penalty: $50,000 per violation, with an annual maximum of $1.5 million.

HIPAA violation due to willful neglect and is not corrected.
Minimum Penalty: $50,000 per violation, with an annual maximum of $1.5 million.
Maximum Penalty: $50,000 per violation, with an annual maximum of $1.5 million.

Who Is Responsible For HIPAA Violations?

The DOJ concluded that the criminal penalties for a violation of HIPAA are directly applicable to covered entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, where the covered entity is not an individual, may also be directly criminally liable under HIPAA in accordance with principles of “corporate criminal liability.” Where an individual of a covered entity is not directly liable under HIPAA, he/she can still be charged with conspiracy or aiding and abetting.

The Interpretation of “Knowingly.”

The DOJ interpreted the “knowingly” element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitutes an offense. Specific knowledge of an action being in violation of the HIPAA statute is not required.

Consequences Include Medicare Penalties As Well.

DHHS has the authority to exclude a health care provider in violation of HIPAA laws from the Medicare Program and any covered entity that is not compliant with the transaction and code set standards by October 16, 2003 (68 Fed. Reg. 48805).

This is a powerful tool. Medicare exclusion can be a death sentence for a health care provider.

Who Carries The Big Stick Enforcing HIPAA?

The HHS Office for Civil Rights (OCR) enforces the privacy standards, while the Centers for Medicare & Medicaid Services (CMS) enforce both the transaction and code set standards and the security standards (65 Fed. Reg. 18895). Enforcement of the civil monetary provisions has not yet been tasked to an agency.

For more information on enforcement of the privacy standards, click here.


Have you ever received discipline for a HIPAA violation? Do these penalties seem harsh to you? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (970) 416-7456.

About the Author: Carole C. Schriefer is a nurse-attorney with The Health Law Firm, which has a national practice. Its regional office is in the Denver, Colorado, area. www.TheHealthLawFirm.com The Health Law Firm, 155 East Boardwalk Drive, Fort Collins, Colorado 80525. Phone: (970) 416-7456.

The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

Copyright © 1996-2014 The Health Law Firm. All rights reserved.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s