In the 2013 HIPAA Omnibus Rule, there have been significant changes to the HIPAA penalties (§160.404).  This is the section that details the dollar amounts of penalties for HIPAA violations.  HHS will have a much higher ceiling to punish even those that did not know they were breaking the rules.

money and a stethoscope representing costs of HIPAA PenaltiesPrevious Penalty Amounts

Before February 18, 2009, the only limit on HIPAA penalties was $100 for each violation.  The most it would cost in a year for the same violation was $25,000.  From that date on, there are four types of violation with different fines for each.  HIPAA penalties were more severe if companies were aware that they were violating HIPAA or if they did not correct an issue when it was pointed out to them.  The amounts per instance in the four classes were $100, $1,000, $10,000, and $50,000.  The most you could pay for violating the same rule was $25,000, $100,000, $250,000, or $1.5 million depending on the type of violation.

New HIPAA Penalties

The table below lists the new amounts for HIPAA penalties.

Violation Category Each Violation All Such Violations of an Identical Provision in a Calendar Year
(A) Did Not Know $100 – $50,000 $1,500,000
(B) Reasonable Cause $1,000 – $50,000 $1,500,000
(C)(i) Willful Neglect-Corrected $10,000 – $50,000 $1,500,000
(C)(ii) Willful Neglect-Not Corrected $50,000 $1,500,000

As you can see, there is now a range of dollar amounts in each class of violation.  In each case, a single violation can cost up to $50,000.  The highest annual amount in all cases is now $1,500,000.  These are the penalties that would be incurred for violating one provision.  If you were to break any other provisions as well, these amounts are multiplied.

The purpose of HIPAA penalties is not to bankrupt the violator.  HHS wants to reduce violations without impeding access to care.  So, the size and financial condition of the business are considered when the penalties are determined.  If the company is large, they are thought to be more able to comply and are therefore more harshly penalized for violations.  That may be of some comfort to smaller businesses, but at $100 per violation and with a cap so high, it only takes a few thousand leaked records to do serious damage.  This subjectivity also seems to give smaller businesses and those with a less than solid financial position some leeway in their security posture.  “Sorry, we don’t have as much money to spend on security, so we aren’t as liable.

Business Associates

As was discussed in previous articles, business associates of covered entities are now directly liable for certain HIPAA violations.  An individual or organization that “creates, receives, maintains, or transmits protected health information” can be open to hundreds of thousands or millions of dollars in HIPAA penalties.  If any of your business associates handle protected health information, it is worth it to assess how the HIPAA changes will affect the risk of being fined.

Summary

The changes to §160.404 raise the ceiling for HIPAA penalties incurred by violators.  Whether you willfully neglected to correct a violation or did not even know that a violation was occurring, you can be fined millions of dollars.  The scope of the fines has increased as well, now that business associates of covered entities can be held directly liable for violations and be subject to HIPAA penalties.  Any business that has access to protected health information should assess how they protect that information.