Increased penalties for noncompliance
HHS made official in the omnibus rule increased civil monetary penalties ranging from $100 in the "did not know" category to $1.5 million in the "not corrected" category.
The factors that will be considered when determining civil money penalties for non-compliance have expanded significantly, says Rebecca Herold, CISSP, CIPP/US/IT, CISM, CISA, FLMI, partner in Compliance Helper and CEO of The Privacy Professor of Des Moines, IA.
"To date, the factors really only involved the implementation of controls, as required by HIPAA, and any levels of 'willful neglect' involved in the associated situations," Herold says. "So pretty much the sanctions applied were based upon the preventive actions that were in place, or lacking. Now there are significant additional considerations: the impacts of the breach will be considered."
What will HHS review in terms of the extent of breaches in the new omnibus rule?
"I find the consideration of harm to an individual's reputation to be of particular interest, since that has been comparatively hard to prove in past court cases," Herold says. "However, this particularly points to the need to keep patient information off social media sites, since that has been a source of many breaches involving patient information."