The HHS Announces Changes to HIPAA Violation Fines – What it Means for Healthcare Organizations
The Department of Health and Human Services (HHS) has announced a dramatic change to HIPAA violation fines. Maximum penalties for the lowest-level HIPAA violations have been reduced drastically – some by over $1 million. But what does this mean for healthcare organizations?
In the event of a HIPAA violation, there are four tiers of culpability under the Health Information Technology for Economic and Clinical Health (HITECH) Act:
- Tier 1: No Knowledge, which applies to an organization that couldn’t have known about an incident and made a genuine effort to protect itself ahead of time.
- Tier 2: Reasonable Cause: The organization either knew or should have known about the violation after performing due diligence, but it did not occur as a result of willful neglect.
- Tier 3: Willful Neglect – Corrected: Although the violation was caused by negligence, it was promptly corrected.
- Tier 4: Willful Neglect – Not Corrected: Caused by neglectful behavior and action was not taken in a timely manner to correct the problem.
When the HITECH Act was enacted in 2009, the penalties for all four tiers capped at $1.5 million annually. Under the HHS’ new rules, the maximum annual limits for fines from the first three penalty tiers – No Knowledge to Willful Neglect – Corrected – have been reduced considerably.
“Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits as… $25,000 for no knowledge, $100,000 for reasonable cause, $250,000 for corrected willful neglect, and $1,500,000 for uncorrected willful neglect.” – Roger Severino, Office of Civil Rights (OCR) Director
These new changes were introduced after a record-breaking year for HIPAA enforcements – the OCR collected $28.7 million for HIPAA violations in 2018. HHS determined that applying the new rates provide for a “better reading” of the HITECH Act, but raised questions as to the motivations for the change. Is the OCR acknowledging due diligence from healthcare organizations? Are they being too permissive of HIPAA violations, or because penalties have been reduced, will they take more aggressive actions toward healthcare organizations?
Finally, what can you do as a security or privacy professional to ensure due diligence and prevent the most expensive violations?
Developing a proactive monitoring program to ensure HIPAA compliance, patient privacy, and security can prevent the costliest penalties. Memorial Healthcare addressed challenges like these after a 2012 breach that led to a record-breaking $5.5 million settlement to the HHS – and managed to bounce back by developing a world-class privacy program.
After the breach occurred, the organization assessed the top areas where they could significantly improve their privacy and security posture, then took immediate action. By appointing a dedicated privacy monitoring team – including a privacy director and IT security personnel – Memorial Healthcare is now recognized as a patient privacy leader with some of the highest patient, employee, and physician satisfaction rates in the industry.
By implementing an active privacy and security program while fostering a culture of compliance, Memorial Healthcare is enacting the due diligence needed to prevent violations caused by willful neglect, in turn avoiding fines of the highest tier.
In order to reflect the HITECH Act as accurately as possible, HHS expects to continue revising these regulations in the future. But for the time being, healthcare organizations will experience considerably reduced fines for HIPAA violations as long as a genuine effort is made to monitor and protect the privacy of patient data.