olly - Fotolia

Lower HIPAA violation fines shouldn't translate into lax security

Healthcare organizations will pay less for HIPAA violation fines annually under Health and Human Services' new fines structure, but security should still be top of mind for CIOs.

The maximum annual amount of HIPAA violation fines a healthcare organization has to pay has been drastically reduced. But one healthcare law expert said healthcare CIOs will have to work just as hard to maintain their security measures.

The U.S. Department of Health and Human Services (HHS) decided to reduce the maximum annual penalty for HIPAA violations in three out of the four penalty tiers, making the annual HIPAA violation fines lower for smaller offenses and larger for more severe violations.

While the maximum annual fines are now significantly lower, healthcare law expert David Harlow said healthcare organizations will continue to be reprimanded for security breaches in other ways, such as state and private lawsuits. Plus, the techniques hackers use to infiltrate healthcare systems continue to evolve, so reduced HIPAA violation fines don't mean healthcare CIOs can ease up on maintaining appropriate security measures.

"From a CIO perspective, I might breathe a sigh of relief, 'Thank goodness I'm not going to be fined on the million-dollar level for something that wasn't really my fault,'" Harlow said. "However, it's not a time to rest easy, because threats evolve and there's a continuing necessity to address evolving threats with evolving security and privacy protocols."

A table of HHS' new HIPAA violation fines.
HHS' new HIPAA violation fines have been reduced due to inconsistencies in the HITECH Act's penalty amount language.

HIPAA violation fine changes

For years, a regulated organization that violated the Health Insurance Portability and Accountability Act (HIPAA) could face paying up to $1.5 million annually, even if the organization had a tier one violation and had no knowledge of the security breach that led to patient data exposure. Organizations with a tier four violation, the most severe HIPAA violation, faced a maximum annual HIPAA violation fine of up to $1.5 million as well.

Under the new structure, the maximum annual penalty for a tier one offense is now $25,000, while the maximum annual penalty for a tier four offense remains $1.5 million. The annual fine amount increases gradually in each tier, with $1.5 million being the most an organization could pay in one year for a HIPAA violation.

Harlow said HHS decided to change the structure to HIPAA violation fines due to inconsistencies in penalty amount language within the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which increased HIPAA violation fines. The agency decided the new structure, released in April, fixed that problem and was a better interpretation of the act.

"In the abstract, it makes sense," Harlow said. "There's a sliding scale where the higher-level fine should be applied only to the most egregious violations."

Large HIPAA violation fines imposed in the past were meant to enact change within the regulated community and send a message. But that hasn't happened yet, Harlow said. In fact, the number of reported healthcare breaches in a single month reached a record high of 44 in April 2019.

Making this sort of announcement essentially lets the regulated community know that most people are off the hook for large fines.
David HarlowHealthcare law expert

Harlow believes the new structure represents an opportunity for individual states to step up to the plate and act in ways they might not have in the past. Both the federal government and state attorneys general have the authority to enforce HIPAA, but most of the time states tend to only make small additions to federal actions, which don't always add much, he said.

Yet Harlow expressed concern about how the new structure limits HHS' ability to determine fines on a case-by-case basis and said he would rather have the regulatory agency retain the flexibility to exercise discretion on an individual case.

"Making this sort of announcement essentially lets the regulated community know that most people are off the hook for large fines," he said.

Healthcare CIOs need to stay focused on security

Facing large HIPAA violation fines for breaches that weren't an organization's fault was one of the biggest complaints from the regulated community under the old structure, Harlow said.

The new structure addresses that complaint, he said, but it's not a time for healthcare CIOs to now "sit back and relax."

Harlow said the threat landscape is constantly evolving and CIOs have to continually improve privacy and security controls, not to mention staff training and testing, to keep up.

Harlow said it's important that healthcare CIOs continue to comply with federal law and overlapping state law to maintain the privacy and security of patient data. Otherwise, a healthcare organization could be subject to state and private lawsuits, as well as federal investigations.

"This is not the only regulator out there and not the only way in which one can be held liable for a breach," Harlow said. "There's a continuing necessity to keep an eye on a lot of different balls."

Dig Deeper on Federal healthcare regulations and compliance

Cloud Computing
Mobile Computing