BLOG POST: The Impact of OCR’s New HIPAA Penalty Limits
Blog Post by Brian Selfridge, ITRM Partner at Meditology Services
A new structure for HIPAA violation Civil Monetary Penalties (CMP) was announced by the OCR on April 26, 2019. This change greatly reduces the financial risk of HIPAA breach violations for covered entities that can demonstrate updated security risk management plans, policies and procedures for sensitive patient data.
Key Changes in HIPAA/HITECH CMP Annual Limits
HHS released an important update that substantially reduces the annual limits for Civil Monetary Penalties (CMPs) for HIPAA violations.
Specifically, the following changes have been enacted for annual limitations for identical violations:
- Tier 1 - No Knowledge - Annual limit reduced from $1.5m to $25,000
- Tier 2 - Reasonable Cause - Annual limit reduced from $1.5m to $100,000
- Tier 3 - Willful Neglect - Corrected - Annual limit reduced from $1.5m to $250,000
- Tier 4 - Willful Neglect - Not Corrected - Annual limit unchanged at $1.5m
Historical Perspective on CMP Annual Penalty Structure
HIPAA was established in 1996, with an annual cap of $25K for all violations of an identical provision. Over the last two decades, the CMP limits have only been changed a few times. This latest change to annual CMP penalties is the first change in a decade.
Here is a timeline:
2009 Annual Limits (HITECH)
2009 Annual Limits (Updated)
The OCR expects to engage in future rulemaking to revise the penalty tiers in the current regulation to better reflect the text of the HITECH Act.
The Impact to Covered Entities
This change means that organizations that maintain robust and well-documented HIPAA compliance and risk management programs may have reduced financial exposure to civil monetary penalties from HHS/OCR. Maintaining appropriate documentation of compliance with key HIPAA Security Rule requirements including Risk Analysis and Risk Management provisions can help Covered Entities to avoid the fourth and highest-level of culpability for “Willful Neglect – Not Corrected”.
Specifically, performing periodic (at least annual) security risk assessments and risk analysis on your organization’s information security policies, procedures and systems is a critical control to identify and prioritize control weaknesses. With proper prioritization and resource allocation, organizations can address these weaknesses and improve the posture of their security program and reduce the likelihood of “willful neglect”.
The use of risk analysis and risk management tools such as risk registers should also be built-in to your business processes. Risk registers provide a method of documenting each identifiable risk event or vulnerability point in the organization, including those with business associates. A regularly updated risk register provides the OCR with evidence a continual risk management program is in place and may help avoid the “not corrected” status associated with the $1.5m annual limit.
The OCR has said recently that its focus will be on auditing organizations that do not report any breaches. Thus, covered entities with the most robust and comprehensive breach detection practices built into their security program will fare well in this new environment. Using the approach of security risk assessment and analysis, risk registers and other risk management tools will help reduce an organization’s financial risk exposure. Read more about these approaches in our blog: Keeping Your Eyes Peeled to the OCR.
We are constantly monitoring changes in HIPAA interpretation and enforcement by the OCR. Our clients can learn about the latest developments from our Thought Leadership blog, webinars, white papers and speaking engagements.