- Penalties: HIPAA provides the following civil and criminal penalties for the misuse of PHI.
- Civil Penalties–Civil penalties are $100 per violation, up to $25,000 per person, per year for each violation.
- Criminal Penalties – HIPAA creates criminal penalties for knowingly violating an individual’s privacy: These penalties are up to $50,000 and one year in prison for obtaining or disclosing PHI; up to $100,000 and up to five years in prison for obtaining PHI under “false pretenses”; and up to $250,000 and up to ten years in prison for obtaining or disclosing PHI with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.
- Privacy Officer: DSS has a Privacy Officer to oversee all ongoing activities related to HIPAA compliance. The address for the Privacy Officer is: Division of Legal Services, P.O. Box 1527, Jefferson City, Missouri 65102-1527, (phone: 573-751-3229), (fax: 573-526-1484), (text: 800-735-2966), and (voice 800-735-2466). The Family Support Division also has a privacy officer to address issues and questions that staff may have about HIPAA. The FSD privacy officer works with the DSS privacy officer to maintain departmental privacy efforts. Send HIPAA related policy questions through normal supervisory channels to State Office, Income Maintenance, Program and Policy, attention: IM Privacy Officer, P.O. Box 88, Jefferson City, MO 65103.
- Complaints: Clients have the right to make a complaint about any policy or procedure used by staff to comply with HIPAA. Refer a person who wants to file a complaint about HIPAA compliance to the DSS Complaint Officer. Use the same address and phone numbers for the DSS Privacy Officer. Advise the individual that he or she may be required to file a written complaint. Persons may file a complaint with the Secretary of the Department of Health and Human Services if they believe that the department (to include the division) is not complying with HIPAA. Clients can contact/write them at 200 Independence Avenue SW, Washington, DC 20201 or call them at 877-696-6775. Individuals may complain to the Office of Civil Rights by calling 866-627-7748 or 886-788-4989 TTY.
- Intimidation or Retaliation: Do not intimate, threaten or coerce, discriminate, or take other retaliatory actions against a person for exercising his or her HIPAA rights or for participating in a HIPAA established process.
- Mitigation: Staff must lessen any harmful effect that is known to staff of the use or disclosure of PHI that violates the HIPAA privacy provisions. It is DSS policy that staff will take appropriate action to prevent further inappropriate uses or disclosures and pursue any feasible actions to lessen the harmful effects of any such violations. Staff should contact the FSD privacy officer for instructions if mitigation is necessary.
- Copying Costs and Format: The Privacy Officer may impose copying or other reproduction costs. The client’s agreement to any costs is confirmed by the person’s checking the appropriate box in the “Request for Individual’s Access to Their Protected Health Information” form. The request is processed in the format requested i.e. microfiche, computer disk, etc., if possible, and in a timely consistent manner according to established timeframes but not more than 30 days after receipt of the request. If the record cannot be accessed within the 30 days, the timeframe may be extended once for no more than an additional 30 days with notification in writing from the privacy officer to the individual outlining reasons for the delay and the date the request will be concluded. If a copying charge is imposed, it will be the same that FSD uses to reimburse medical providers. FSD cannot charge any search or retrieval fees.
DSS Manuals Website