HIPAA Violation Penalties Rise in Response to Data Breaches

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://smartdatacollective.com/onlinetech/99671/final-omnibus-rule-raises-hipaa-violation-penalties

In addition to redefining the scope and liabilities of business
associates in the healthcare industry, the final HIPAA omnibus rule
includes revisions to the penalties applied to each HIPAA violation
category. While the American Recovery and Reinvestment Act of 2009
(ARRA) initially established a tiered penalty structure, it hasn’t
been revised until now.

Section 160.404 refers to the amount of civil monetary penalty as
administered under the HITECH(Health Information Technology for
Economic and Clinical Health) Act. The original penalty structure used
to be:



VIOLATION TYPEMIN. PENALTYMAX. PENALTY
Did Not Know$100/violation; annual max of
$25,000/repeat violations$50,000/violation; annual
max of $1.5 million
Reasonable Cause$100/violation; annual max of
$25,000/repeat violations$50,000/violation; annual
max of $1.5 million
Willful Neglect – Corrected$10,000/violation; annual max
of $250,000/repeat violations$50,000/violation; annual
max of $1.5 million
Willful Neglect – Not Corrected$50,000/violation; annual max
of $1.5 million$50,000/violation; annual
max of $1.5 m



The new penalty structure is as follows:

VIOLATION TYPEEACH VIOLATIONREPEAT VIOLATIONS/YR
Did Not Know$100 – $50,000$1,500,000
Reasonable Cause$1,000 – $50,000$1,500,000
Willful Neglect – Corrected$10,000 – $50,000$1,500,000
Willful Neglect – Not Corrected$50,000$1,500,000



One-time violations stay under $50k, but repeat violations within the
same year can hold a fine of $1.5 million across all HIPAA violation
categories, up substantially from the previous $250k minimum. That’s a
bit of a hike. The new penalty structure aligns with recent data from
the Ponemon Institute that found recurring data breaches are
increasing among respondents, with 45 percent (up from 29 percent in
2010) reporting more than five incidents in the last two years.

The average economic impact of a data breach has also increased by
$400k to a total of $2.4 million since 2010 – in addition to federal
fines, investigation, legal, business downtime and decreased
credibility all contribute to the economic loss. The increase in HIPAA
violation penalty fines may be the government’s response to the
epidemic of repeat breaches and the rising costs to the healthcare
industry.

It’s worth noting the changes, especially since HIPAA’s standards and
monetary penalties now apply to a wide range of healthcare vendors and
their subcontractors. Even if you didn’t know you were violating
HIPAA, you can still be penalized and charged accordingly – meaning if
you support the healthcare industry or deal with patient data in any
way, you should be up on the requirements of HIPAA to avoid
significant government fees.

And if you think no one will notice if you’re not in compliance –
think again. As Mike Klein wrote in The HIPAA Police Are On Their
Way!, one of the lesser known requirements of the HITECH Act mandate
periodic and random audits of covered entities and business associates
alike. While previously in a testing pilot phase, the OCR (Office for
Civil Rights, enforcing entity of HIPAA) audit program will be fully
enforced in 2013.

Luckily, while compliance may not be quicker nor less expensive to
achieve, it may be somewhat clearer to understand how the requirements
apply to your organization, with the new OCR HIPAA Audit Program
Protocol. If you’d like to be able to confidently pass a surprise
audit administered by the OCR, what better way than to follow audit
guidelines released publicly by the very agency. View the HHS’s Audit
Protocol here.

If you want to learn more about the final HIPAA omnibus rule, we’re
hosting a rather timely webinar on the subject you can join for free –
No More Excuses: HHS Releases Tough Final HIPAA Privacy and Security
Rules, next Thursday, January 31 at 2 PM ET.

Featuring our guest speaker, Brian Balow of Dickinson Wright Law Firm,
the discussion will cover the modifications, their impact on covered
entities, business associates and subcontractors, and mechanisms for
minimizing the risk of HIPAA liability. Sign up today and submit your
questions in advance. Or, download our HIPAA Compliant Hosting white
paper for a guide to the technical, physical and administrative
security requirements for a compliant environment and hosting
solution.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.