HIPAA Omnibus Rule Increase Breach Penalties

Financial sanctions for healthcare organizations found in breach of HIPAA regulations are to be raised substantially as part of the HIPAA Omnibus Rule, which will also be applied to business associates and their subcontractors.

The original fine structure was introduced by the American Recovery and Reinvestment Act of 2009 (ARRA), although no additional increases have been made in the intervening four years.

The new tiered financial sanctions have been brought in along with the Health Information Technology for Economic and Clinical Health Act (HITECH) and increases the maximum penalties for each non-compliance offense, in addition to increasing the maximum fine for repeat violations.

Healthcare organizations committing a one-time violation will still get a maximum penalty of $50,000; however repeat violations can now see further fines of up to $1.5 million issued, with the maximum penalty now applying to all HIPAA breach categories.

While willful neglect has a $50,000 penalty for each breach, a lack of knowledge of HIPAA and its subsequent changes is not a sufficient defense. HIPAA-covered bodies and their business associates who claim a lack of understanding of the rules and regulations will not avoid a financial penalty if a violation is found. Each violation that happens outside the knowledge of the organization in question can see a maximum fine applied of $50,000 per offense.

The Department for Health and Human Services wants to admonish repeat offenders who do not address security and privacy issues. Data from the Ponemon Institute suggests that repeat offenses are on the rise, with the number of organizations having experienced more than five incidents in the past two years having risen by 16 percent since 2010.

Healthcare organizations – as well as their business clients – which operate in the belief that HIPAA procedures and policies will not be checked or audited could be in for a nasty surprise. HIPAA is going to be strictly policed by the OCR over thenext few months, and there will be periodic, random audits to assess HIPAA compliance as allowed under the HITECH Act. If selected for audit, healthcare organizations will face stiff penalties for each and every breach.

The best way to make sure that your organization will pass an audit is to complete a full risk analysis and to take all proper actions to ensure PHI is properly secured. Guidance on the upcoming audits has been provided by the OCR and can be viewed on the HHS website.