In addition to redefining the scope and liabilities of business associates in the healthcare industry, the final HIPAA omnibus rule includes revisions to the penalties applied to each HIPAA violation category. While the American Recovery and Reinvestment Act of 2009 (ARRA) initially established a tiered penalty structure, it hasn’t been revised until now.
In addition to redefining the scope and liabilities of business associates in the healthcare industry, the final HIPAA omnibus rule includes revisions to the penalties applied to each HIPAA violation category. While the American Recovery and Reinvestment Act of 2009 (ARRA) initially established a tiered penalty structure, it hasn’t been revised until now.
Section 160.404 refers to the amount of civil monetary penalty as administered under the HITECH (Health Information Technology for Economic and Clinical Health) Act. The original penalty structure used to be:
| VIOLATION TYPE | MIN. PENALTY | MAX. PENALTY |
| Did Not Know | $100/violation; annual max of $25,000/repeat violations | $50,000/violation; annual max of $1.5 million |
| Reasonable Cause | $100/violation; annual max of $25,000/repeat violations | $50,000/violation; annual max of $1.5 million |
| Willful Neglect – Corrected | $10,000/violation; annual max of $250,000/repeat violations | $50,000/violation; annual max of $1.5 million |
| Willful Neglect – Not Corrected | $50,000/violation; annual max of $1.5 million | $50,000/violation; annual max of $1.5 m |
The new penalty structure is as follows:
| VIOLATION TYPE | EACH VIOLATION | REPEAT VIOLATIONS/YR |
| Did Not Know | $100 – $50,000 | $1,500,000 |
| Reasonable Cause | $1,000 – $50,000 | $1,500,000 |
| Willful Neglect – Corrected | $10,000 – $50,000 | $1,500,000 |
| Willful Neglect – Not Corrected | $50,000 | $1,500,000 |
One-time violations stay under $50k, but repeat violations within the same year can hold a fine of $1.5 million across all HIPAA violation categories, up substantially from the previous $250k minimum. That’s a bit of a hike. The new penalty structure aligns with recent data from the Ponemon Institute that found recurring data breaches are increasing among respondents, with 45 percent (up from 29 percent in 2010) reporting more than five incidents in the last two years.
The average economic impact of a data breach has also increased by $400k to a total of $2.4 million since 2010 – in addition to federal fines, investigation, legal, business downtime and decreased credibility all contribute to the economic loss. The increase in HIPAA violation penalty fines may be the government’s response to the epidemic of repeat breaches and the rising costs to the healthcare industry.
It’s worth noting the changes, especially since HIPAA’s standards and monetary penalties now apply to a wide range of healthcare vendors and their subcontractors. Even if you didn’t know you were violating HIPAA, you can still be penalized and charged accordingly – meaning if you support the healthcare industry or deal with patient data in any way, you should be up on the requirements of HIPAA to avoid significant government fees.
And if you think no one will notice if you’re not in compliance – think again. As Mike Klein wrote in The HIPAA Police Are On Their Way!, one of the lesser known requirements of the HITECH Act mandate periodic and random audits of covered entities and business associates alike. While previously in a testing pilot phase, the OCR (Office for Civil Rights, enforcing entity of HIPAA) audit program will be fully enforced in 2013.
Luckily, while compliance may not be quicker nor less expensive to achieve, it may be somewhat clearer to understand how the requirements apply to your organization, with the new OCR HIPAA Audit Program Protocol. If you’d like to be able to confidently pass a surprise audit administered by the OCR, what better way than to follow audit guidelines released publicly by the very agency. View the HHS’s Audit Protocol here.
If you want to learn more about the final HIPAA omnibus rule, we’re hosting a rather timely webinar on the subject you can join for free – No More Excuses: HHS Releases Tough Final HIPAA Privacy and Security Rules, next Thursday, January 31 at 2 PM ET.
Featuring our guest speaker, Brian Balow of Dickinson Wright Law Firm, the discussion will cover the modifications, their impact on covered entities, business associates and subcontractors, and mechanisms for minimizing the risk of HIPAA liability. Sign up today and submit your questions in advance. Or, download our HIPAA Compliant Hosting white paper for a guide to the technical, physical and administrative security requirements for a compliant environment and hosting solution.