HIPAA Survival Guide May 2019 Newsletter

Announcement!

New Product: Stuck on Stupid: How to Eliminate 95% of HIPAA Liability while being less than Thirty Percent (30%) Compliant - only $29.95.

Description: Due to overwhelming demand, this pre-recorded live webinar can now be purchased. This webinar focuses on providing the C-Suite and compliance officers with a strategy for eliminating a significant part of HIPAA liability despite the fact that your organization may be less than 30% compliant.

To purchase this Webinar click here. Because we believe that no one will be disappointed we are giving away a FREE complimentary copy of our HIPAA Handbook, a $179.00 value as a bonus.

 

Lessons in Knowledge Management

TitleBreach Notification Wizard: Lessons in Knowledge Management!

Description: This webinar focuses on providing stakeholders with an example of how tacit knowledge is transferred into explicit knowledge using a review of our upcoming Breach Notification Wizard release; soon to be incorporated into ExpressoThe Risk Assessment Express.

Date:  May 23, 2019

Time:  2:00 - 3:30 p.m. EST

Register here for the FREE May Webinar

Please note that some attendees have experienced difficulty in obtaining their Certificate of Attendance due to the requirement for Adobe Flash Plug-In. If you experience difficulty, please forward the email with the link to dleyva@3lionspublishing.com and your Certificate will be mailed back.

HHS' Reduction in Enforcement Penalties

Introduction

HHS' recent announcement of a reduction in penalties for HIPAA non-compliance is much to do about nothing. In part, this is true because HHS has stopped enforcing HIPAA in any meaningful way other than when a Breach is reported. Once you have a Breach, the costs of notification will likely exceed your civil monetary penalty ("CMP") imposed by OCR based on whatever violations it finds. So, Breach Notification remains the 800-pound enforcement gorilla and, for all intents and purposes, the real non-compliance liability that covered entities and business associates have to worry about. Further, as discussed below, the maximum penalties set forth were for "identical violations" and, as far as we tell, that has not changed. We discuss this further below.

That Was Then...This is Now

The two tables below describe the changes that HHS promulgated.

Culpability Minimum Maximum Annual Limit
Penalty/Violation Penalty/Violation
No Knowledge $100 $50,000 $1,500,000
Reasonable Cause $1,000 $50,000 $1,500,000
Willful Neglect - Corrected $10,000 $50,000 $1,500,000
Willful Neglect - Not Corrected $50,000 $50,000 $1,500,000

 

 What Really Changed?

Well, the obvious answer to this question is that the annual limit changed. However, these annual maximum CMPs were always somewhat opaque and misunderstood because they only applied to "identical violations." For example, even under the "No Knowledge" tier, the maximum is really not $25K, but rather the latter is the maximum for a single type of identical violation. You could theoretically have dozens of different violations that implicated the "no knowledge" tier and end up with a CMP greater than $25K. However, now the "Maximum Penalty/Violation" appears to make no sense for the "no knowledge tier" in that just one violation would exceed the maximum for the year. 

Willful Neglect

From our perspective, given that the only likely way to be "audited" is if you have a significant breach then nothing has changed. Many covered entities and business associated are in "willful neglect" pursuant to one or more of the 161 requirements (i.e. as identified in the original HHS Audit Protocol) and therefore you are still going to have a really bad day when (not if) a Breach occurs. 

Conclusion

HHS has managed, yet again, to add more confusion than clarity. This appears to be some sort of politically motivated decision to give the appearance of "leniency," and therefore less regulatory impact, than an attempt to seriously address an important issue. The tiers have always been confusing; they remain confusing. The more things change, the more they stay the same in HIPAA world.