Significant Changes to HIPAA Law: Institution, Workforce Members Subject to Criminal, Civil Penalties

August 31, 2009

When the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in February 2009, new laws with far-reaching requirements went into effect, including an enhanced enforcement program for HIPAA compliance. In the past, HIPAA offenses carried minimal federal penalties. That has changed, and you can expect that federal audits for HIPAA compliance will increase.

New criminal and civil penalties, which affect all of Johns Hopkins Medicine, health plans and health care providers, as well as individual faculty and staff, may come into effect. These include the following:

  • Any workforce member who misuses protected health information may be subject to criminal penalties, which can include jail time of up to 10 years.
  • Civil monetary penalties have significantly increased, with a maximum penalty of $1.5 million during a calendar year for each of four types of violations.
  • States attorneys general can bring legal actions against covered entities to collect damages and attorneys’ fees on behalf of individuals adversely affected by HIPAA violations.

To keep patients, health plan members, workforce members and the institution safe, regular updates about the new law, as well as the procedures, practices and standards that Johns Hopkins departments must follow to be compliant will be sent in the near future. If you have a question, contact the Johns Hopkins Privacy Officer at 410-735-6509 or [email protected].