The Health Information Technology for Economic and Clinic Health (HITECH) Act changed the ballgame for sanctions related to HIPAA violations.
The Act provides a tiered system for assessing the level and penalty of each violation. CMS, which enforces the HIPAA Security Rule, and the Office for Civil Rights, which enforces the HIPAA Privacy Rule, can supersede the following limits, but with a cap of $50,000 per violation and $1.5 million for the calendar year for the same type of violation. The different tiers are:
How does the sanction structure look at your facility? HIPAA requires covered entities to have a structured sanction policy in place.
The American Health Information Management Association addressed handling breaches internally in a recent practice brief.