HIPAA Omnibus Rule Increase Breach Penalties

January 25, 2013 Patrick Kennedy HIPAA Advice Comments Off

Financial sanctions for healthcare organizations found in breach of HIPAA regulations are to be raised substantially as part of the HIPAA Omnibus Rule, which will also be applied to business associates and their subcontractors.

The original fine structure was introduced by the American Recovery and Reinvestment Act of 2009 (ARRA), although no additional increases have been made in the intervening four years.

The new tiered financial sanctions have been brought in along with the Health Information Technology for Economic and Clinical Health Act (HITECH) and increases the maximum penalties for each non-compliance offense, in addition to increasing the maximum fine for repeat violations.

Healthcare organizations committing a one-time violation will still get a maximum penalty of $50,000; however repeat violations can now see further fines of up to $1.5 million issued, with the maximum penalty now applying to all HIPAA breach categories.

While willful neglect has a $50,000 penalty for each breach, a lack of knowledge of HIPAA and its subsequent changes is not a sufficient defense. HIPAA-covered bodies and their business associates who claim a lack of understanding of the rules and regulations will not avoid a financial penalty if a violation is found. Each violation that happens outside the knowledge of the organization in question can see a maximum fine applied of $50,000 per offense.

The Department for Health and Human Services wants to admonish repeat offenders who do not address security and privacy issues. Data from the Ponemon Institute suggests that repeat offenses are on the rise, with the number of organizations having experienced more than five incidents in the past two years having risen by 16 percent since 2010.

Healthcare organizations – as well as their business clients – which operate in the belief that HIPAA procedures and policies will not be checked or audited could be in for a nasty surprise. HIPAA is going to be strictly policed by the OCR over thenext few months, and there will be periodic, random audits to assess HIPAA compliance as allowed under the HITECH Act. If selected for audit, healthcare organizations will face stiff penalties for each and every breach.

The best way to make sure that your organization will pass an audit is to complete a full risk analysis and to take all proper actions to ensure PHI is properly secured. Guidance on the upcoming audits has been provided by the OCR and can be viewed on the HHS website.

About Patrick Kennedy 619 Articles

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile: https://www.linkedin.com/in/pkkennedy/