Introduction
HHS' recent announcement of a reduction in penalties for HIPAA non-compliance is much to do about nothing. In part, this is true because HHS has stopped enforcing HIPAA in any meaningful way other than when a Breach is reported. Once you have a Breach, the costs of notification will likely exceed your civil monetary penalty ("CMP") imposed by OCR based on whatever violations it finds. So, Breach Notification remains the 800-pound enforcement gorilla and, for all intents and purposes, the real non-compliance liability that covered entities and business associates have to worry about. Further, as discussed below, the maximum penalties set forth were for "identical violations" and, as far as we tell, that has not changed. We discuss this further below.
That Was Then...This is Now
The two tables below describe the changes that HHS promulgated.
Culpability | Minimum | Maximum | Annual Limit |
Penalty/Violation | Penalty/Violation | ||
No Knowledge | $100 | $50,000 | $1,500,000 |
Reasonable Cause | $1,000 | $50,000 | $1,500,000 |
Willful Neglect - Corrected | $10,000 | $50,000 | $1,500,000 |
Willful Neglect - Not Corrected | $50,000 | $50,000 | $1,500,000 |
What Really Changed?
Well, the obvious answer to this question is that the annual limit changed. However, these annual maximum CMPs were always somewhat opaque and misunderstood because they only applied to "identical violations." For example, even under the "No Knowledge" tier, the maximum is really not $25K, but rather the latter is the maximum for a single type of identical violation. You could theoretically have dozens of different violations that implicated the "no knowledge" tier and end up with a CMP greater than $25K. However, now the "Maximum Penalty/Violation" appears to make no sense for the "no knowledge tier" in that just one violation would exceed the maximum for the year.
Willful Neglect
From our perspective, given that the only likely way to be "audited" is if you have a significant breach then nothing has changed. Many covered entities and business associated are in "willful neglect" pursuant to one or more of the 161 requirements (i.e. as identified in the original HHS Audit Protocol) and therefore you are still going to have a really bad day when (not if) a Breach occurs.
Conclusion
HHS has managed, yet again, to add more confusion than clarity. This appears to be some sort of politically motivated decision to give the appearance of "leniency," and therefore less regulatory impact, than an attempt to seriously address an important issue. The tiers have always been confusing; they remain confusing. The more things change, the more they stay the same in HIPAA world.
Contact us: Mature Compliance Programs Made Easier!