US healthcare organizations could face lighter fines for data breaches

The US Department of Health and Human Services (HHS) is adjusting the monetary penalties it imposes on healthcare providers found to be in breach of HIPAA data protection law.

HHS will lower the maximum fine given to an organization that fails to protect sensitive patient data without being aware it is in violation, the Office for Civil Rights announced in a filing on Friday (PDF).

A business entity that breaches HIPAA (the Health Insurance Portability and Accountability Act 1996) without knowledge of the rules is liable to pay an annual fee of up to $25,000 – a decrease from the $1.5 million maximum, originally applied to all violations no matter what their severity.

The maximum annual penalty for wilful neglect of patient data or healthcare plans remains the same at $1.5 million.

HIPAA was introduced in 1996 and was strengthened by the Health Information Technology for Economic and Clinical (HITECH) Act, published in 2013.

The bill made several changes to HIPAA, including increasing the penalties for HIPAA violations.

HHS has now ruled that some of the penalties are inconsistent, and has introduced new rules based on the extent of the violation.

HHS expressed how its initial enforcement penalty scheme was “inconsistent with the HITECH Act’s establishment of different tiers based on culpability, because the outside limits were the same for all culpability categories”.

Essentially, before the move, an organization that had no knowledge of wrongdoing was treated the same as one that wilfully abused data.

The changes, according to HHS, are expected to increase enforcement action – a combination of physical and digital safeguards – in order to produce greater HIPAA compliancy across organizations.

“I think this was a good move, as it brings the annual limit more in line with the levels of culpability established under HITECH,” Joseph Lazzarotti, attorney at law at Jackson Lewis PC, told The Daily Swig.

“It is hard to say how this will change levels of enforcement. It seems that OCR has been increasing enforcement over the years. One item to note there is that in the ‘Outcome of Breach Compliance Review Investigations’, the rate of ‘Corrective Actions Obtained’ has been increasing while the ‘No Violation’ categories flattened and then decreased.

“From the stats noted above and other information available on the site, the OCR seems to be strengthening its enforcement role.

“This likely is in response to some pressure from privacy advocates over the years and OIG which suggested a lack of enforcement by the agency. However, complaints have been increasing.”

The calls also come despite last year’s record breaking $28 million in data breach settlement fines, up from $19 million in 2017.

Last year, for example, US insurer Anthem paid a fine of more than $16 million for exposing the personally identifiable information of 79 million people – one of the biggest healthcare breaches in American history.

HIPAA is operating under the new rules as of its filing to the Federal Register last week.