Changes in the penalties occurred as a result of the Federal Civil Penalties Inflation Adjustment Improvements Act of 2015.[ii] This law required that new penalties go into effect by August 1, 2016. Although the increased amounts are only a slight bump, most investigations result in several findings which is why the fines often reach to millions of dollars. Here is a look at how the penalties were increased:
- Unknowingly Violating HIPAA
The minimum fine was increased to $110 from $100 per violation. The maximum fine was increased to $55,010 from $50,000 per violation.
- Reasonable Cause
The minimum fine for reasonable cause but not willful neglect went from $10,000 to $11,002. The maximum was $50,000 but was increased to $55,010.
- Willful Neglect that Wasn’t Corrected within 30 Days
The minimum fine of $50,000 was increased to $55,010. Its maximum fine increased from $1,500,000 to $1,650,300.
More Frequent Investigations
To sum up the process, once a violation complaint is filed with the OCR and an investigation occurs, the defendant is notified of any violations. As long as there was no willful neglect which caused the violations, the organization under investigation is then given 30 days to remedy the situation.
Additionally, audits are now in effect (different than an investigation mentioned above) to ensure that covered entities are in compliance with all HIPAA rules. Typically, the OCR will send out notifications to an organization prior to an audit and businesses are selected based on questionnaires sent out. If there are any compliance issues, the OCR will start a compliance review to take a closer look at the issue to see what the next steps are.
Better Defined Regulations
In the beginning, the HIPAA regulations were surprisingly vague, which was fixed with addition of the HIPAA Omnibus Rule and the Health Information Technology for Economic and Clinical Health Act (HITECH). The major changes consisted of: areas that were previously omitted were now covered by this amendment, fines were increased and harm thresholds were increased. The Omnibus Rule also modified HIPAA to prohibit disclosures of genetic information for the purpose of underwriting and ensured that ePHI were not to be used for marketing purposes.
Under these new rules, covered entities need to (among other things):
- Train staff for compliance
- Update privacy policies
- Update/issue new Business Associate Agreements
- Update Privacy Practices notices
- Perform proper risk assessments
Check out our page for more information:
And our other HIPAA blogs:
Co-founder + Ethical Hacker
Micheal has over 13 years combined experience in Information Security, Information Technology, and Physical Security. He has tackled some of the most daunting certifications in the industry and his passion for the cyber world is unparalleled with exposure to virtually every industry. He continues to hone his skills in Incident Response, Penetration Testing, and Consulting. Recognizing the need for change in cyber security, he volunteers to help entrepreneurs, veterans, and recent graduates.