HIPAA Final Rule Raises Fines for Non-Compliance

Increased penalties for noncompliance
HHS made official in the omnibus rule increased civil monetary penalties ranging from $100 in the "did not know" category to $1.5 million in the "not corrected" category.

The factors that will be considered when determining civil money penalties for non-compliance have expanded significantly, says Rebecca Herold, CISSP, CIPP/US/IT, CISM, CISA, FLMI, partner in Compliance Helper and CEO of The Privacy Professor of Des Moines, IA.

"To date, the factors really only involved the implementation of controls, as required by HIPAA, and any levels of 'willful neglect' involved in the associated situations," Herold says. "So pretty much the sanctions applied were based upon the preventive actions that were in place, or lacking. Now there are significant additional considerations: the impacts of the breach will be considered."

What will HHS review in terms of the extent of breaches in the new omnibus rule?

• Number of individuals affected
• Time period during which the violation occurred
• Nature and extent of the harm resulting from the violation, consideration of which may include but is not limited to:
  • Whether the violation caused physical harm
  • Whether the violation resulted in financial harm
  • Whether the violation resulted in harm to an individual's reputation
  • Whether the violation hindered an individual's ability to obtain healthcare

"I find the consideration of harm to an individual's reputation to be of particular interest, since that has been comparatively hard to prove in past court cases," Herold says. "However, this particularly points to the need to keep patient information off social media sites, since that has been a source of many breaches involving patient information."