Governance & Risk Management , HIPAA/HITECH , Privacy
HHS Lowers Some HIPAA FinesExperts Weigh In on Potential Impact of the Changes
The Department of Health and Human Services is lowering its top fines for less egregious HIPAA violations. Meanwhile, it's pledging to make a "big push" to enforce patients' right to access their health records.
HHS will keep its revised interpretation of the HITECH Act penalty caps in mind "for all enforcement operations," says Roger Severino, director of the HHS Office for Civil Rights, which enforces HIPAA.
That includes cases involving civil monetary penalties as well as when OCR negotiates HIPAA settlements that include corrective actions "and monies in lieu of civil monetary penalties," he says.
Some regulatory experts fear the reduced penalties could be perceived as a watering down of the agency's overall enforcement stance, which could influence security investments. But others say the changes likely will have limited impact.
The HHS OCR on Friday issued a "notification of enforcement discretion regarding HIPAA civil money penalties" in the Federal Register spelling out a revised structure for maximum annual caps for financial penalties against covered entities and business associates for violations of HIPAA's privacy, security, and breach notification rules.
'A Better Read'
OCR Director Severino, in a briefing with the news media, said the move is based on an effort by HHS to reassess all its rules and regulations. He said the revised penalty limits were "a better read" of what Congress intended in the penalty provisions of the HITECH Act.
The HITECH Act strengthened HIPAA enforcement by increasing civil monetary penalties for HIPAA violations.
OCR will now impose penalties of up to $1.5 million in a calendar year for the most egregious violations of the HIPAA rules - those involving "willful neglect without timely corrections," Severino says. Of course, an organization may be found to have violated several HIPAA provisions, so it could face multiple financial penalties.
Under the previous interpretation of the HITECH Act, OCR had the discretion to levy a penalty of $1.5 million per year for all four tiers of violations, including three less egregious tiers, he notes.
The revised maximum annual penalties violations of HIPAA provisions are:
- No knowledge - i.e. an entity did not know it was violating a provision - $25,000;
- Reasonable cause, and not willful neglect - $100,000;
- Willful neglect, but with timely correction (within 30 days) - $250,000;
- Willful neglect that is not timely corrected - maximum annual penalty remains at $1.5 million.
Privacy attorney Kirk Nahra of the law firm WilmerHale says the OCR announcement deals with "a confusing part" of the existing HITECH rules and its tiered penalties.
"It is an interesting move," he says. "You don't see a lot of agencies moving their [penalty] options down."
OCR's biggest HIPAA financial penalty so far was a $16 million resolution agreement last year with health insurer Anthem Inc. in the wake of a cyberattack revealed in 2015, which impacted nearly 79 million individuals.
In the agreement, the agency noted that the insurer settled multiple potential violations of the HIPAA privacy and security rules, and it said the insurer failed to take several basic security steps, including conducting an enterprisewide security risk analysis.
OCR plans to follow up on its notice of enforcement discretion by issuing proposed rulemaking on the revised penalty scheme, Severino said. But he provided no timeline on when rulemaking would happen. Meanwhile, the new penalty structure will immediately go into effect.
About 40 percent of the HIPAA cases that OCR has settled or that involved an administrative law judge approving civil monetary penalties have involved at least one count of willful neglect without timely correction, Severino says.
When asked whether OCR's revised penalties tiers were related to a lawsuit filed against HHS earlier this month in federal court by the University of Texas MD Anderson Cancer Center, arguing that a $4.3 million HIPAA penalty levied against it last year was unlawful, Severino noted only that the case is "under litigation" and that HHS had not yet filed a response to the MD Anderson legal compliant.
When asked what impact the new penalty structure might have on OCR's HIPAA enforcement collections - which also fund the agency's other enforcement activities - Severino said OCR has "no numerical goals for collections."
Overall, the agency would like to see its collections drop due to an improved "culture of compliance" by covered entities and business associates "so that enforcement is less necessary," he says.
In 2018, OCR tallied $28.6 million in HIPAA enforcement settlements and civil monetary penalties, Severino noted.
Regulatory experts offered mixed reactions to the changes in the HIPAA violation penalty limits.
"OCR always has had latitude in assessing penalties and, especially, settlements," says Kate Borten, president of privacy and security consulting firm The Marblehead Group. "I see no reason to lower the caps. In fact, I fear this change signals to some organizations that they needn't be too concerned about HIPAA violations."
"Moving forward, if the amounts for each violation are less, it is conceivable that OCR will simply include more potential violations."
—Iliana Peters, Polsinelli
Jon Moore, senior vice president and chief risk officer at security consulting firm Clearwater Compliance, notes that there had been uncertainty for some time as to whether OCR's previous interpretation of the statute was appropriate with regard to the $1.5 million annual limit for all four levels of HIPAA violations.
"By reducing the maximum penalty in cases where a covered entity or a business associate was not aware of a violation, took reasonable care, or corrected a violation, OCR is indicating that it views those who are making serious efforts to comply with the regulations in a much better light," he says.
"This interpretation better aligns with OCR's stated desire to focus on making sure patient information is protected rather than punishing HIPAA violations."
Moore questions, however, whether OCR might assign more HIPAA violation cases to the most egregious category with the highest potential penalties.
Privacy attorney David Holtzman of the security consultancy CynergisTek says there will be "minimal impact" on the healthcare industry from OCR adjusting the penalty amounts.
"My experience is that most covered entities and business associates make good faith efforts to comply with the HIPAA standards," he says. "They take action when they are aware of a gap in their privacy practices or safeguards to protect against threats to PHI. The amount of the penalty that could be applied based on their culpability in a violation of the HIPAA standards does not enter into their calculations of how they manage their PHI."
It's unclear whether OCR's decision on maximum penalties will result in it collecting less money related to HIPAA enforcement activities.
"HHS OCR has exercised enforcement discretion in the past with regard to which violations it includes in settlement agreements and civil money penalty cases," says privacy attorney Iliana Peters of the law firm Poliinelli. "Moving forward, if the amounts for each violation are less, it is conceivable that OCR will simply include more potential violations."
Peters notes that OCR indicated in this year's budget request that it "needed fewer appropriated funds for the HIPAA enforcement program, given its enforcement recoveries."
She adds: "If OCR collects fewer of those recoveries in the future, will that affect its ability to enforce HIPAA, including with regard to enforcement priorities like individuals' access to their own information? And will that affect individuals who would otherwise recover part of such settlements or fines as provided by the HITECH Act?"
Right to Access
OCR's current HIPAA enforcement activity is heavily focused on cases involving patients' rights to access their protected health information in their designated record sets, as spelled out by HIPAA, Severino says. OCR is pursuing those cases "vigorously this year," he adds.
That includes cases in which entities overcharge for records access or give patients "the run-around," he says. OCR has seen "a significant amount of ignorance and flouting of regulations" related to providing patients with access with their health information, he says.
Giving patients access to their health information, as required under HIPAA, can prove challenging, some regulatory experts say.
"Patient exercise of their privacy rights continues to be a problem. While most organizations have adopted formal policies, their implementation frequently falls far short," Borten says.
"The result is confusion and obstacles for patients. For example, putting the burden on patients to seek record copies from multiple sources within a single healthcare system is contrary to privacy principles and good practices."
Holtzman says he's seeing more complaints about individuals being blocked from receiving access to their PHI in electronic format or prevented from directing the covered entity to share their information with third parties, such as personal health records apps.
Those complaints include reports of unreasonable fees being charged for patients to get access to PHI.
"In most instances, I suspect that the root cause is that the management of the organization's electronic health record does not prioritize allowing patient's the ability to access or control their PHI as well as challenges integrating all information about the individual into a central, retrievable record system," says Holtzman, a former OCR official.