The rule also creates a system for compliance review by HHS Office of Civil Rights and a system of sanctions ranging from civil penalties of $100 per day to criminal charges, which could lead to prison sentences of up to ten years and fines of up to $250,000.
The penalties for non-compliance with the transactions and code sets is $100 per occurance up to a maxmimum of $25,000 per standard per year.
The civil penalties for covered entities that violate the privacy standards are $100 PER incident, per year, per standard violated to a maximum of $25,000 per person.
The federal criminal penalties for violation of privacy are:
- Up to $50,000 fine and/or up to one year in prison for obtaining or disclosing protected heatlh information
- Up to a $100,000 fine and/or up to five years in prison for obtaining protected health information under false pretenses.
- Up to $250,000 fine and/or up to ten years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.