Health Insurance Portability and Accountability Act (HIPAA)
Do You Know Your Website's Compliance Score?
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets rules for handling health information to protect patients' privacy and ensure their health information is secure.
It was enacted by the U.S. Congress in 1996 primarily to protect health insurance coverage for workers and their families when they change or lose their jobs. Over the years, its role has broadened to ensure the privacy and security of individual health information, known as Protected Health Information (PHI) or Electronic Protected Health Information (ePHI). HIPAA sets nationwide standards for patient data handling conducted by various entities like healthcare providers and insurers and is supplemented by the HIPAA Security Rule, the HIPAA Privacy Rule, and the HIPAA Breach Notification Rule which are designed to protect health information while ensuring healthcare services run smoothly.
In short, the above are connected as follows:
- HIPAA (Health Insurance Portability and Accountability Act of 1996) initially helped keep health insurance for people who changed or lost their jobs and over time it expanded to include specific rules to protect personal health information.
- The HIPAA Privacy Rule brought along national standards for protecting all types of health information, whether stored on paper, electronically, or spoken. It helps ensure that personal health details are kept private and gives individuals the right to access their health records, ask for copies, and make corrections if needed.
- The HIPAA Breach Notification Rule regulates the way notifications of breaches are sent out in order to mitigate the potential harm that can result from PHI breaches.
- Last but not least, the HIPAA Security Rule focuses on protecting electronic health information and outlines specific actions that healthcare providers must take to keep this information safe, such as using secure methods to send data, setting up strong access controls, and ensuring physical security measures are in place.
Together, the three ensure that healthcare providers handle personal health information responsibly and securely, allowing necessary information to flow to improve healthcare quality and protect public health while maintaining privacy and security. When it comes to websites of covered entities, HIPAA has specific implications for how personal health information is handled to ensure privacy and security.
How does HIPAA define Personal Information and what are other key definitions?
HIPAA and its Rules don’t mention or define ‘personal information’ as such. Instead, they offer definitions for three types of information, as follows:
- “Health Information” which is any information, whether oral or recorded in any form or medium, that is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse and relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.
- “Protected Health Information (PHI)” is any individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. This excludes information in education records covered by the Family Educational Rights and Privacy Act, employment records held by a covered entity in its role as an employer, and information about a person deceased for more than 50 years.
- “Individually Identifiable Health Information” which is defined as information that is a subset of health information, including demographic information collected from an individual, and either identifies the individual or provides a reasonable basis to believe the information can be used to identify the individual. This includes information created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse that relates to the physical or mental health or condition of an individual, the provision of healthcare to an individual, or the payment for the provision of healthcare to an individual.
- "Electronic Protected Health Information" (ePHI) is defined as any Protected Health Information (PHI) that is created, stored, transmitted, or received in any electronic form. This specific classification of PHI includes a wide range of electronic mediums such as emails, electronic medical records, online transactions, and data saved on computers or servers. The protection of ePHI is a critical component of HIPAA's Security Rule, which mandates safeguards (administrative, physical, and technical) to ensure the confidentiality, integrity, and security of electronic medical information.
Other relevant definitions under HIPAA include that of covered entities or business associates. Under HIPAA, a "covered entity" is defined as any of the following:
- Health Plans: This includes various types of insurance providers such as health insurance companies, HMOs (Health Maintenance Organizations), company health plans, and government programs that pay for healthcare such as Medicare and Medicaid.
- Healthcare Providers: Any provider of medical or health services that transmits any health information in electronic form in connection with a transaction for which the U.S. Department of Health and Human Services has adopted standards. This includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.
- Healthcare Clearinghouses: These are entities that process nonstandard health information they receive from another entity into a standard (i.e., HIPAA-compliant) format, or vice versa. Examples include billing services and community health management information systems.
Under HIPAA, a “Business Associate” is defined as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity. A business associate isn’t limited to third-party service providers but also includes any entity that creates, receives, maintains, or transmits PHI in the course of performing services for a covered entity.
Some examples of services that a business associate may provide include but not are limited to
- Processing claims
- Data analysis, processing, or administration
- Utilization review
- Quality assurance
- Billing
- Benefit management
- Practice management
- Repricing
- Providing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services where such services involve the disclosure of PHI.
Also, some examples of business associates can include:
- A third-party administrator that assists a health plan with claims processing.
- A CPA (certified public accountant) firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A consultant that performs utilization reviews for a hospital.
- A health care clearinghouse that processes health information received from another entity and translates it from a non-standard format into a standard format, or vice versa.
- An independent medical transcriptionist that provides transcription services to a physician.
Who has to comply with HIPAA?
HIPAA mandates compliance for the following types of covered entities, as defined above:
- Healthcare providers, which are any providers of medical or other health services that transmit any type of health information in electronic form in connection with a transaction covered by HIPAA.
- Health plans, understood as those entities that provide or pay the cost of medical care, which can include health, dental, vision, and prescription drug insurers, as well as health maintenance organizations (HMOs), Medicare, Medicaid, and Medicare supplemental insurers.
- Healthcare clearinghouses, which are those entities that process or facilitate the processing of health information received from another entity in a nonstandard format into a standard format, or vice versa.
Who is excluded from HIPAA compliance?
Generally, any entities that do not engage in standard healthcare transactions covered by HIPAA rules are excluded. Examples include organizations such as:
- Life Insurers.
- Employers.
- Schools and School Districts that do not maintain student health records electronically.
- Workers' Compensation Insurers.
What are the requirements for covered entities under HIPAA ?
In order to be compliant with HIPAA, covered entities must take a series of proactive steps to ensure the safety of health information they collect, store, and process, the first of which is understanding HIPAA’s regulations and rules. To help you better understand the HIPAA requirements we’ve summarized the HIPAA Rules and their regulations. First, let’s look at the basic steps for compliance with HIPAA:
- Protect Patient Privacy: As a covered entity, you must keep patients' personal health information private. This means you can only share their information for specific reasons such as treatment, payment, or healthcare operations, and even then, only the minimum necessary information should be shared.
- Implement Security Measures: You must protect all electronic health information using appropriate administrative, physical, and technical safeguards. This includes securing computers and networks, limiting access to authorized individuals, and training employees on how to handle sensitive health information securely.
- Patient Rights: You must respect and facilitate patients' rights to access and control their health information. This includes providing patients with copies of their health records upon request, correcting inaccuracies in their information, and providing an accounting of disclosures when requested.
- Notice of Privacy Practices: You are required to provide a clear and concise document outlining your practices regarding the use and protection of their health information and explaining patients' rights under HIPAA. When it comes to your website, you are required to have a clear privacy policy available which explains to individuals what types of PHI is collected, how the data is used, who the data is shared with, and how the data is protected.
- Risk Assessments: You are required to conduct regular assessments to detect vulnerabilities in the protection of PHI.
- Policies and Procedures: Another requirement for covered entitled is implementing and updating privacy policies that comply with HIPAA regulations.
- Breach Notification Procedures: Your organization should have in place protocols to follow in the event of a breach of PHI.
- Business Associate Agreement (BAA): As a covered entity, you must have a contract or other arrangement with your business associates that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the requirements to protect the privacy and security of protected health information. These agreements ensure that business associates use, disclose, and safeguard PHI only as permitted or required by the contract and the HIPAA Rules. By definition, a business associate agreement helps to ensure that the third parties handling PHI maintain the confidentiality, integrity, and availability of that data in compliance with HIPAA regulations.
The HIPAA Privacy Rule
The HIPAA Privacy Rule outlines a series of obligations which focus on the protection of individually identifiable health information (IIHI) and are directed towards covered entities, as defined above, including their websites. Key obligations include the following:
- Uses and Disclosures of Protected Health Information
- Establish Policies and Procedures: Develop and implement on-site and website-specific policies that limit the use and disclosure of PHI strictly to those situations permitted by the Privacy Rule, such as for treatment, payment, or healthcare operations, or where the individual has authorized the disclosure.
- Apply Safeguards: Ensure that PHI is not used or disclosed improperly by applying appropriate administrative, technical, and physical safeguards. As regards websites, this would include encryption and secure access protocols.
- Minimum Necessary Use and Disclosure: When using or disclosing PHI, or when requesting PHI from another entity, use or request only the amount of information that is minimally necessary to achieve the purpose of the use or disclosure.
- Individual Rights:
- Consumer rights requests: Provide individuals with a way to submit requests on your website for the rights afforded to them by the HIPAA. This includes:
- Access to PHI: Provide individuals with access to their PHI in a designated record set. This includes the right to inspect or obtain a copy of the information within 30 days of the request.
- Amendments to PHI: Allow individuals to request an amendment of their PHI if they believe it is inaccurate or incomplete. Covered entities must consider the request and, if appropriate, make the necessary amendments.
- Notice of Privacy Practices: Develop and distribute a notice that provides a clear explanation of how PHI is used and disclosed, the individual’s rights, and the entity’s legal duties regarding the PHI. In the case of your website, clearly post and make accessible a privacy notice on the website detailing how PHI is used, disclosed, individual rights, and the entity's obligations under HIPAA.
- Consumer rights requests: Provide individuals with a way to submit requests on your website for the rights afforded to them by the HIPAA. This includes:
- Minimum Necessary Requirement
- Define Minimum Necessary: Define what constitutes the "minimum necessary" use and disclosure of PHI based on the specific duties and roles within the organization, making sure these are also adhered to in your website’s operation.
- Restrict Access: Restrict access to PHI to only those workforce members who need it to perform their job functions.
- Review Procedures: Regularly review and update your on-site and website procedures to ensure compliance with the minimum necessary standard when using or disclosing PHI.
- Business Associates
- Business Associate Agreements (BAAs): Ensure that agreements with business associates contain assurances that they will use PHI only as permitted by the Privacy Rule and will safeguard the information from misuse. As far as your website is concerned, there also you are required to ensure that any third-party service providers who have access to PHI collected by your website are bound by BAAs that mandate compliance with the HIPAA Privacy Rule and protect the information from misuse.
- Oversight and Compliance: Monitor business associates' compliance with the HIPAA regulations and take corrective action for any breaches or violations.
- Documentation and Record Keeping: Maintain documentation of the business associate agreements and any incidents of use or disclosure of PHI that are inconsistent with the agreements.
- Administrative Safeguards
- Privacy Policies and Procedures: Develop, implement, and maintain privacy policies and procedures that comply with the HIPAA Privacy Rule.
- Workforce Training and Management: Train all members of the workforce on the privacy policies and procedures, both on-site and website ones, as necessary and appropriate for them to carry out their functions. Implement disciplinary measures for violations of these policies.
- Complaint Management: Provide on your website a way for individuals to make complaints about your privacy practices and address such complaints effectively.
- Data Privacy Officer: Designate a privacy official who is responsible for the development and implementation of the privacy policies and procedures that apply to your organization both on-site and on the website.
The HIPAA Security Rule
The HIPAA Security Rule establishes a series of obligations for the protection of electronic protected health information (ePHI) collected on websites which can be grouped into several areas, such as administrative, physical, and technical safeguards, as follows:
Administrative Safeguards
- Security Management Process:
- Risk Analysis and management: Perform and document a thorough risk assessment to identify all potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI handled through your website and implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
- Sanction Policy: Apply appropriate sanctions against workforce members who fail to comply with the security policies.
- Information System Activity Review: Regularly review web server logs, audit trails, and access records to monitor the security of the ePHI on your website.
- Assigned Security Responsibility: Designate a security official responsible for developing and implementing security policies and procedures for website operations.
- Workforce Security:
- Ensure that all members of the workforce have appropriate access to ePHI and prevent those who do not have access from obtaining access to ePHI.
- Implement procedures to authorize and/or supervise employees who work with ePHI.
- Security Awareness and Training: Provide specific training for web administrators and other relevant personnel on the security policies and procedures concerning the website.
- Security Incident Procedures: Develop and implement procedures to address and respond to security incidents involving your website that result in a breach of ePHI.
- Contingency Plan: Establish (and implement as needed) policies for responding to emergencies or technical failures that affect the website and potentially compromise ePHI.
- Evaluation: Periodically evaluate your website’s security policies and procedures to determine their effectiveness in protecting ePHI.
Physical Safeguards
- Facility Access Controls: Implement policies to limit physical access to facilities while ensuring that properly authorized access is allowed.
- Workstation Use: Specify the proper functions to be performed and the manner in which those functions are to be performed on workstations that access ePHI.
- Workstation Security: Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users.
- Device and Media Controls: Govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility.
Technical Safeguards
- Access Control:
- Implement technical policies and procedures that allow only authorized persons to access ePHI on your website.
- Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
- Audit Controls: Implement hardware, software, and/or procedural mechanisms to record and examine activity on your website, especially for actions involving access or changes to ePHI.
- Integrity: Implement policies and procedures to ensure that ePHI is not improperly altered or destroyed, such as digital signatures.
- Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to ePHI via your website is the correct one by implementing robust authentication procedures such as multi-factor authentication.
- Transmission Security: Implement technical security measures on your website, such as encryption, in order to prevent any unauthorized access during the ePHI’s transmission.
The HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notifications following a breach of unsecured protected health information (PHI) or electronic protected health information (ePHI) in the case of websites of covered entities.
Key aspects of the HIPAA Breach Notification Rule include the following:
What Constitutes a Breach?
A breach is generally defined as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. However, there are exceptions where an incident might not be considered a breach:
- When the unauthorized acquisition, access, use, or disclosure of PHI/ePHI is unintentional and occurs at the hands of a person acting under the authority of the covered entity or business associate.
- If the PHI/ePHI is acquired, accessed, or disclosed in good faith and within the scope of authority.
- Where the covered entity or business associate has a reasonable belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information.
What are the Notification Requirements?
- Notification to Individuals: Covered entities must notify affected individuals without unreasonable delay and in no case later than 60 days after discovering the breach. The notification should include, to the extent possible, a description of the breach, the types of information involved, the steps individuals should take to protect themselves, what the covered entity is doing to investigate and mitigate the harm, and contact procedures for individuals to ask questions.
- Notification to the Secretary of HHS: For breaches involving fewer than 500 individuals, the covered entity must maintain a log and annually report the breaches to HHS. For breaches of 500 or more individuals, the covered entity must notify the Secretary of HHS without unreasonable delay, and in no case later than 60 days from the discovery of the breach.
- Notification to the Media: For breaches that affect 500 or more individuals in a state or jurisdiction, covered entities must provide notice to prominent media outlets serving the state or jurisdiction, within the same 60-day timeframe.
- Notification by Business Associates: If the breach occurs at or by a business associate, the business associate must notify the covered entity of the breach. The covered entity is then responsible for ensuring that individuals, HHS, and potentially the media are notified in accordance with the Breach Notification Rule.
- Notifications for Unsecured PHI: The Breach Notification Rule applies to unsecured PHI/ePHI, which refers to information that is not protected through the use of a technology or methodology specified by the Secretary of HHS that renders PHI/ePHI unusable, unreadable, or indecipherable to unauthorized individuals. Examples include encryption of ePHI and the destruction of paper records of PHI.
What are the Exemptions to the Breach Notification Rule?
There are exemptions to the Breach Notification Rule, such as when a risk assessment determines that there is a low probability that the PHI/ePHI has been compromised. The assessment should consider factors such as the nature and extent of the PHI/ePHI involved, to whom the disclosure was made, whether the PHI/ePHI was actually acquired or viewed, and the extent to which the risk has been mitigated.
What are the consumer rights under HIPAA ?
HIPAA provides several important rights to consumers concerning their health information, ensuring they have significant control over their personal health data. These rights are primarily articulated through the HIPAA Privacy Rule and are as follows:
- Right to Access
- Right to Correct
- Right to an Accounting of Disclosures: Individuals have the right to receive a detailed account of certain disclosures of their PHI.
- Right to Request Restrictions: Consumers have the right to request a restriction on certain uses or disclosures of their health information, including disclosures to family members or others involved in their care or payment for their care. However, covered entities are not required to agree to these restrictions, except in the case of disclosures to a health plan for purposes of payment or healthcare operations when the item or service has been paid out of pocket in full.
- Right to Request Confidential Communications of Protected Health Information: Consumers can request, and covered entities must accommodate reasonable requests, to receive communications of health information by alternative means or at alternative locations. For example, a patient can ask to be contacted at a different mailing address or by email.
- Right to a Notice of Privacy Practices: Covered entities are required to provide individuals with a notice that explains how the entity may use and share their health information and describes the privacy rights of the individuals. Consumers have the right to receive this notice and should be prompted to review it.
- Right to File a Complaint: If consumers believe their privacy rights have been violated, they have the right to file a complaint with the healthcare provider or insurer and the U.S. Department of Health and Human Services Office for Civil Rights.
Health Insurance Portability and Accountability Act (HIPAA) compliant website with Clym
How to respond to consumer requests under HIPAA ?
When consumers exercise their rights under HIPAA, covered entities have a series of obligations about replying to these requests, which vary depending on the type of request, as follows:
- Right to Access Health Information: Covered entities must allow individuals to inspect or obtain copies of their health information, typically within 30 days of the request. An extension of up to 30 additional days is allowed if the covered entity provides a written explanation for the delay and the date by which the records will be provided. Entities may charge a reasonable, cost-based fee for producing the copies, which may include the cost of supplies for creating the copy, labor for copying the PHI, and postage if the individual requests the copy be mailed.
- Right to Request Amendments: Covered entities must consider requests for amendments to health records. If they accept the request, they must make the appropriate amendments. If they deny the request, they must provide a written denial that explains the basis for the denial, informs the individual of the right to submit a written statement of disagreement, and provides information on how the individual can file a complaint. This process must typically be completed within 60 days of the request, with one possible 30-day extension if the entity notifies the individual in writing of the reasons for the delay.
- Right to an Accounting of Disclosures: Covered entities must provide an accounting of disclosures of the individual’s PHI that occurred in the past six years, excluding disclosures for treatment, payment, and healthcare operations. The accounting must include the date of each disclosure, the recipient of the disclosed PHI, a brief description of the PHI disclosed, and the purpose of the disclosure. This information must be provided within 60 days of the request, with one possible 30-day extension for good cause shown.
- Right to Request Restrictions: While covered entities are not required to agree to restrictions on the use or disclosure of PHI for treatment, payment, or healthcare operations, they must agree to restrictions on disclosures to a health plan when the individual has paid out of pocket in full for the healthcare item or service. If the covered entity agrees to the restriction, they must abide by it unless the information is needed to provide emergency treatment.
- Right to Request Confidential Communications: Covered entities must accommodate reasonable requests to receive communications of PHI by alternative means or at alternative locations. The individual does not need to provide a reason for the request, but must specify how or where they wish to be contacted.
- Notice of Privacy Practices: Covered entities are required to provide individuals with a notice of their privacy practices at the first service encounter and upon request thereafter. The notice must be posted in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered entity to be able to read the notice.
HIPAA enforcement and penalties
The U.S. Department of Health and Human Services (HHS) enforces HIPAA compliance through its Office for Civil Rights (OCR). Penalties for non-compliance can be severe, ranging from monetary fines to criminal prosecution. The fines vary based on the nature of the violation and the level of negligence involved. HIPAA penalty tiers are structured to reflect the perceived culpability of the covered entity or business associate involved in the violation.
HIPAA Violation Penalty Tiers
Financial penalties for HIPAA violations can be grouped in the following tiers:
Tier 1: The covered entity or business associate was unaware (and by exercising reasonable diligence would not have known) that it violated HIPAA.
Penalty: $100 to $50,000 per violation, with an annual maximum of $25,000 for repeat violations of the same provision.
Tier 2: The violation had a reasonable cause and was not due to willful neglect.
Penalty: $1,000 to $50,000 per violation, with an annual maximum of $100,000 for repeat violations of the same provision.
Tier 3: The violation was due to willful neglect but was corrected within the required time period.
Penalty: $10,000 to $50,000 per violation, with an annual maximum of $250,000 for repeat violations of the same provision.
Tier 4: The violation was due to willful neglect and was not corrected.
Penalty: $50,000 per violation, with an annual maximum of $1.5 million for repeat violations of the same provision.
Criminal penalties for HIPAA violations are divided into three tiers:
Tier 1: same as above, the covered entity or business associate was unaware of the violation.
Penalty: up to 1 year imprisonment.
Tier 2: using false pretense to obtain PHI.
Penalty: up to 5 years imprisonment.
Tier 3: for violations committed with the malicious intent “to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.”
Penalty: up to 10 years imprisonment.
Data Subject Rights - GDPR vs. HIPAA
GDPR
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
HIPAA
- Right to access
- Right to correct
- Right to an accounting of disclosures
- Right to request restrictions
- Right to request confidential communications of protected health information
- Right to a Notice of Privacy Practices
- Right to file a complaint
How can Clym help?
Clym offers covered entities a comprehensive solution for managing HIPAA compliance effectively on their websites, with features that help you manage your patients’ privacy and offer accessibility in accordance with global regulations, including HIPAA. Because your website collects the protected health information of patients, you are required to have in place security measures. Here’s how Clym can assist with that:
- Cookie Consent Banner: inform your website visitors about the use of cookies and other online tracking technologies and obtain their informed consent for this. Our tool automatically identifies and categorizes cookies, allowing your website visitors to adjust their preferences at any time, providing a clear and compliant way to manage consent.
- Consumer Requests: give patients and visitors a simple way to request access, amendment, or deletion of PHI. Our compliance tool provides an automated workflow that ensures that these requests are managed promptly and effectively, maintaining compliance with HIPAA’s timelines and procedural requirements.
- Privacy Policy Management: Clym offers you a way to add, update, and manage your organization’s privacy policies that align with HIPAA’s standards, so you can clearly communicate all necessary information to patients, including how their PHI is used, disclosed, and protected. This way you show transparency and your compliance with HIPAA’s extensive documentation requirements is facilitated.
Want to see for yourself? Speak to one of our experts today!
See Clym in action by booking a demo or contacting us to discuss your specific needs.
FAQs about the Health Insurance Portability and Accountability Act (HIPAA)
What type of personal information is covered by HIPAA?
HIPAA protects any health-related information that can identify an individual, whether it's stored electronically, on paper, or spoken.
What does HIPAA exempt?
HIPAA does not protect education and employment records, de-identified information, or data about individuals who have been deceased for more than 50 years.
What data rights does HIPAA provide to patients?
Consumers have the following rights under HIPAA:
- Right to access
- Right to correct
- Right to an accounting of disclosures
- Right to request restrictions
- Right to request confidential communications of protected health information
- Right to a Notice of Privacy Practices
- Right to file a complaint
Who enforces HIPAA?
The U.S. Department of Health and Human Services (HHS) enforces HIPAA compliance through its Office for Civil Rights (OCR).
What are the penalties for violations of HIPAA?
HIPAA violations are categorized into four financial penalty tiers based on the severity and awareness of the breach, ranging from $100 to $1.5 million per violation, with varying annual maximums for repeat offenses. Additionally, criminal penalties are structured into three tiers, with potential imprisonment ranging from one to ten years, depending on the intent and nature of the violation.
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you.
Leave us a Message