Penalties for Data Breaches Increased Under HIPAA Omnibus Rule
Financial penalties for healthcare organizations found in violation of HIPAA regulations are to be increased substantially as part of the HIPAA Omnibus Rule, which will also be applied to business associates and their subcontractors. The original fine structure was established by the American Recovery and Reinvestment Act of 2009 (ARRA), although no further increases have been made in the following four years.
The new tiered financial penalties have been introduced in line with the Health Information Technology for Economic and Clinical Health Act (HITECH) and increases the maximum penalties for each non-compliance offense, in addition to increasing the maximum penalty for repeat violations.
Healthcare organizations committing a one-time violation will still receive a maximum penalty of $50,000; however repeat violations can now see fines of up to $1.5 million issued, with the maximum penalty now applying to all HIPAA violation categories.
While willful neglect carries a $50,000 penalty for each violation, a lack of knowledge of HIPAA and its subsequent amendments is not a sufficient defense. HIPAA-covered entities and their business associates who claim a lack of understanding of the rules and regulations will not escape a financial penalty if a violation is discovered. Each violation that occurs outside the knowledge of the organization in question can see a maximum fine issued of $50,000 per offense.
The Department for Health and Human Services wishes to punish repeat offenders who fail to address security and privacy issues. Data from the Ponemon Institute suggests that repeat offenses are on the rise, with the number of organizations having suffered more than five incidents in the past two years having increased by 16 percent since 2010.
Healthcare organizations – as well as their business associates – which operate in the belief that HIPAA procedures and policies will not be checked or audited could well be in for a nasty and costly shock. HIPAA is going to be strictly policed by the OCR over the coming months, and there will be periodic, random audits to assess HIPAA compliance as permitted under the HITECH Act. If selected for audit, healthcare organizations will face stiff penalties for each and every violation.
The best way to ensure that your organization will pass a surprise audit is to conduct a full risk analysis and to take all appropriate actions to ensure PHI is properly protected. Guidance on the upcoming audits has been provided by the OCR and is available on the HHS website.