I would also like to further add few points on New Interim Rule on HIPAA Penalties.

HIPAA establishes criminal penalties for a knowing misuse of unique health identifiers and individually identifiable health information:

• A fine of not more than $50,000 and/or imprisonment of not more than one year
• If misuse is under false pretenses, a fine of not more than $100,000 and/or imprisonment of not more than five years
• If misuse is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than ten years.

The specific offenses to which harsher penalties apply include:

• Using a unique health identifier in violation of the HIPAA requirements for fraudulent purposes. Unique health identifiers include:
• Provider identifiers (effective May 23, 2007)
• Employer identifiers (currently in effect)
• Health plan identifiers (the rule for which has yet to be drafted by CMS)
• Individual identifiers (not likely to be defined and publication of a rule is unlikely)
• Obtaining or using individually identifiable health information in violation of the HIPAA privacy requirements
• Disclosing individually identifiable health information in violation of the HIPAA privacy requirement

In addition to significant financial penalties, remaining noncompliance might result in these additional consequences:
• Claims not honored
• Bad press
• Loss of reputation
• Legislative or state audits
• State law violations (such as of consumer protection laws)
• Civil lawsuits (HIPAA doesn’t provide for any private right of action, but that doesn’t prevent individuals filing suits for damages.)