HHS to Tier HIPAA Breach Fines Based on Level of Culpability
Late on Friday, March 26, the Department of Health and Human Services (HHS) published a Notice of Enforcement Discretion Regarding HIPAA Civil Monetary Penalties. Essentially, HHS has updated the maximum dollar amount it will penalize health care providers and plans for HIPAA breaches.
The new annual limits for fines are based on the organization's 'level of culpability' associated with the HIPAA violation. Maximum annual fines for the most egregious HIPAA breaches, those involving 'willful neglect' that are not corrected, remain at $1.5 million. But maximum annual penalties for three lower tiers of breaches, which had also been at $1.5 million since 2009, are being reduced significantly.
The updated annual caps for each tier now look like this:
The updated annual caps are effective immediately and indefinitely but will be subject to future rulemaking to amend the regulations, according to the notice.
This means that organizations who have taken measures to meet HIPAA's requirements will face much lower maximum penalties than those who are found neglectful.
This would be a good time for organizations sponsoring group health plans (or anyone who handles Protected Health Information) to review their current privacy practices and ensure that they are doing everything appropriately regarding handling of Protected Health Information of their plan participants.