​Privacy is a big topic these days, especially when technology like the internet has made life easier for doctors and patients by streamlining medical care experiences. The problem with making areas of our lives more connected is that there are more ways that sensitive information can get out, creating a big privacy concern for patients who want to keep their private information private. HIPAA regulations were created to make sure that your sensitive data is protected. This blog is a look at how these laws have changed since the creation of the act in 1996. [i]

Increased Penalties

Changes in the penalties occurred as a result of the Federal Civil Penalties Inflation Adjustment Improvements Act of 2015.[ii] This law required that new penalties go into effect by August 1, 2016. Although the increased amounts are only a slight bump, most investigations result in several findings which is why the fines often reach to millions of dollars. Here is a look at how the penalties were increased:

  • Unknowingly Violating HIPAA

​​The minimum fine was increased to $110 from $100 per violation. The maximum fine was increased to $55,010 from $50,000 per violation.

  • Reasonable Cause

The minimum fine for reasonable cause but not willful neglect went from $10,000 to $11,002. The maximum was $50,000 but was increased to $55,010.

  • Willful Neglect that Wasn’t Corrected within 30 Days

The minimum fine of $50,000 was increased to $55,010. Its maximum fine increased from $1,500,000 to $1,650,300.

More Frequent Investigations

The Office for Civil Rights (OCR) began a series of compliance audits in 2011 to see how well healthcare orgainizations were complying to HIPAA Privacy and Security rules. This first pilot round of these audits were completed in 2012. These showed that there was a lot of leniency in these rules, something that OCR officials wanted to be remedied in the future.

To sum up the process, once a violation complaint is filed with the OCR and an investigation occurs, the defendant is notified of any violations. As long as there was no willful neglect which caused the violations, the organization under investigation is then given 30 days to remedy the situation.

Additionally, audits are now in effect (different than an investigation mentioned above) to ensure that covered entities are in compliance with all HIPAA rules. Typically, the OCR will send out notifications to an organization prior to an audit and businesses are selected based on questionnaires sent out. If there are any compliance issues, the OCR will start a compliance review to take a closer look at the issue to see what the next steps are.

Better Defined Regulations

In the beginning, the HIPAA regulations were surprisingly vague, which was fixed with addition of the HIPAA Omnibus Rule and the Health Information Technology for Economic and Clinical Health Act (HITECH). The major changes consisted of: areas that were previously omitted were now covered by this amendment, fines were increased and harm thresholds were increased. The Omnibus Rule also modified HIPAA to prohibit disclosures of genetic information for the purpose of underwriting and ensured that ePHI were not to be used for marketing purposes.

Under these new rules, covered entities need to (among other things):

  • Train staff for compliance
  • Update privacy policies
  • Update/issue new Business Associate Agreements
  • Update Privacy Practices notices
  • Perform proper risk assessments

Check out our page for more information:

And our other HIPAA blogs:

Leave a Reply