Editor’s Note: New HIPAA Fines — Soft or Reasonable?
By Lee DeOrio
For The Record
Vol. 31 No. 5 P. 3
Changes to HIPAA policies usually move at a glacial pace. With that in mind, it was a bit surprising when the Office for Civil Rights (OCR) announced recently that the maximum amount of fines organizations may be assessed annually for HIPAA violations was being reduced.
Previously, organizations could be fined up to $1.5 million for all violations. Under the new interpretation of the HITECH Rule, there will be lower annual penalty caps for all but the most severe tier (Willful Neglect—Not Corrected) of HIPAA violations. The annual cap for unwitting offenses has dropped by more than $1.4 million.
As expected, some privacy advocates are concerned about the move. Should they be? Kelly McLendon, RHIA, CHPS, managing partner of CompliancePro Solutions, says, “I think it has always been sort of unspoken that the maximum caps seemed arbitrary and not always fitting the realities of trying to be compliant but sometimes still having situations occur that fall outside the rules.”
When it comes to punishing faceless corporations, most Americans are more than willing to lower the boom. Giving these monoliths a break is not typically part of the public’s DNA—and this certainly qualifies as a “break.”
For example, those found guilty under the least severe tier of No Knowledge are now subject to an annual fine limit of only $25,000. For tier-two violations, the limit is $100,000; for tier three, the limit is $250,000. The tier-four limit remains at $1.5 million. Health and Human Services (HHS) mentions adjusting these figures for inflation.
While some may question the pullback, others believe it’s logical. “I agree that HHS’s new interpretation makes more sense,” says Shannon Hartsfield, JD, a Florida health lawyer focusing on corporate compliance at Holland & Knight. “The old interpretation reflected one way to read the statute, but I think the interpretation reflected in the new ‘Enforcement Discretion’ announcement gives meaning to the penalty tiers in the law.
“It makes sense to have different levels of penalties, depending on culpability. Why should someone who did not know about a violation, and could not have known about it even by reasonable diligence, potentially be penalized at the same level as someone who willfully neglected a compliance obligation?”
With the penalties lessened, the hope is covered entities (CEs) and business associates (BAs) won’t interpret the move as a sign to back off compliance efforts.
“OCR would be well advised to keep the enforcement pressure up because there are so many CEs and BAs that do not implement HIPAA properly,” McLendon says.
“Unfortunately, some CEs and BAs tend to step up their compliance efforts only when there are big, splashy headlines about government penalties,” Hartsfield notes. “These per-violation penalties can still add up very quickly if an entity is audited or investigated and a number of separate violations are found.”