- HHS is taking a fresh look at financial penalties for some HIPAA privacy violations. A new legal interpretation published late Friday by the agency's Office for Civil Rights would slash fines from an annual $1.5 million in each category of violations to a tiered system, with annual fine limits based on an organization's "level of culpability," according to the notice of enforcement discretion.
- The Office of Civil Rights traditionally collects $1.5 million for HIPAA violations regardless of the actual offense, which can run the gamut from accidental disclosure of a patient's personal health information to theft of patient records.
- Essentially, businesses that try to meet HIPAA requirements will be fined less than those found to be willfully out of compliance.
The HITECH Act, passed in 2009, outlines four categories of violations based on severity: if an entity was unaware of the violation; the violation was due to reasonable cause and not neglect; the violation was due to neglect but the entity fixed it and; if the violation was due to neglect and not corrected in a timely manner.
Financial penalties for each offense cannot exceed $25,000, $100,000, $250,000 and $1.5 million per entity, respectively. In an effort to strengthen enforcement, HHS in a 2013 rule said the "most logical reading" of HITECH is to apply the highest annual cap of $1.5 million, regardless of violation severity.
But HHS now has decided the penalty scheme included "inconsistent language" and could spur confusion. The new interpretation of the structure sets a $25,000 cap on fines for violations where the individual had no knowledge of wrongdoing, $100,000 for reasonable cause, $250,000 for corrected willful neglect and $1.5 million for uncorrected willful neglect.
Some are concerned the change could make companies less protective of patients' personal health information.
To address industry concerns, HHS pushed back the comment period on two recent interoperability rules by an additional 30 days. The agency also released a HIPAA "Frequently Asked Questions" page to clarify, once organizations share protected health data with a patient's third-party app, they will no longer be liable under HIPAA for what happens afterward — a commonly cited liability concern in the health IT community.
OCR, which has an annual budget of $39 million, collected a record $28.7 million in penalties last year, surpassing a record of $23.5 million set in 2016. In one notable case, Anthem doled out $16 million to pay the largest HIPAA fine ever collected to settle the largest health data breach in history, with almost 79 million individuals' data exposed.
HHS expects to issue future rulemaking to revise the penalty tiers to better reflect HITECH's intent, the department said.