The Department of Health and Human Services issued the Omnibus Final HIPAA rule on January 17, 2013. This rule significantly increased the amount of civil monetary penalties that can be imposed upon a HIPAA security breach.
Penalties for a HIPAA breach are now based on the reason behind the HIPAA breach. There are four tiers of culpability:
1. Unknowing. The covered entity or business associate did not know and reasonably should not have known of the breach.
2. Reasonable Cause. The covered or business associate entity knew, or should have known that the act was a breach, but the covered entity did not act with willful neglect.
3. Willful Neglect- Corrected. The breach resulted from an intentional failure or reckless indifference of HIPAA obligations, but the breach was corrected within 30 days of discovery.
4. Willful Neglect- Not Corrected. The breach resulted from an intentional failure or reckless indifference of HIPAA obligations, and the breach was not corrected within 30 days of discovery.
Penalties for each tiers are as follows:
1. Unknowing- $100 - $50,000 for each violation;
2. Reasonable Cause- $1,000 - $50,000 for each violation;
3. Willful Neglect, Corrected- $10,000 - $50,0000 for each violation;
4. Willful Neglect, Not Corrected- at least $50,000 for each violation.
In each circumstance, the total civil monetary penalty for violations of the same issue in a calendar year is capped at $1,500,000.
The Department of Health and Human Services will take several factors into account in determining the amount of penalty. Such factors include the nature and extent of the violation, including the number of individuals impacted; the nature and extent of the harm from the violation, including whether the breach impacted the ability to obtain health care; the history of prior violations, if any; and the financial condition of the covered entity or business associate.
Civil monetary penalties are not the only remedy for violations of HIPAA. Criminal penalties may apply in some circumstances. HHS may resolve issues through informal methods, and may provide technical assistance to violators.
With the Omnibus rules, covered entities are reminded that HIPAA compliance is a required part of the sponsorship of a group health plan. The large civil monetary penalties encourage compliance with all aspects of HIPAA privacy and security requirements.
