• Both the Agency and the other covered entity has or has had a relationship with the individual and the PHI pertains to that relationship. • The disclosure is for specified healthcare operations purposes including quality assessment and improvement activities, case management or care coordination, training, accreditation activities, licensing activities, fraud and abuse detection, research, public health and in emergencies affecting life or safety, judicial proceedings, to provide information to the next-of-kin, for identification of the body of a deceased person, and compliance. In all instances, the Agency must make reasonable efforts to limit the PHI used, disclosed, or requested to the minimum amount necessary to achieve the purpose of the use, disclosure, or request. This also means the Agency must decide the minimum amount of PHI needed by employees to perform their duties. The exception is that it does not apply to a disclosure made for treatment purposes. The government takes compliance with HIPAA regulations very seriously. Enforcement is maintained by the following entities: • Privacy Standard o U.S. Department of Health & Human Services Office for Civil Rights • Security Standard o Centers for Medicare & Medicaid Services • Transaction and Code Set Standards o Centers for Medicare & Medicaid Services Penalties for Non-Compliance: If a privacy violation is reported and substantiated, there could be civil or criminal penalties. • Civil Penalties o $100 per incident up to a maximum of $25,000 per person, per year, per standard. • Criminal Penalties o Up to $50,000 and one year in prison for obtaining or disclosing PHI. o Up to $100,000 and up to five years in prison for obtaining PHI under false pretenses. o Up to $250,000 and up to 10 years in prison for obtaining or disclosing PHI with the intent to transfer, sell, or use it for monetary gain or malicious harm. The following are some tips for maintaining compliance with the HIPAA requirements: • Familiarize yourself with the HIPAA regulation. • Know the name of the Privacy Officer and Security Officer.