HHS Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties
The US Department of Health and Human Services (HHS) recently issued a notice of enforcement discretion regarding HIPAA civil monetary penalties. According to HHS, the new structure of penalties will consider “culpability” and fines will be based on tiers that consider if healthcare organizations have processes in plan to comply with HIPAA requirements and/or if organizations have taken steps to address violations when they occur.
This new enforcement decision underscores the importance of having a comprehensive HIPPA program, not only to secure and protect patient privacy but also to reduce civil penalty liability if a violation occurs.
The intent of HIPAA is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well-being. HIPAA attempts to balance important uses of information, while protecting the privacy of people who seek care. HIPAA applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA.
HHS’s Office of Civil Rights (OCR) recently reported that 2018 was an all-time record year in HIPAA enforcement activity. In 2018, OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22 percent. In addition, OCR also achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016.
Included with today’s notice are example HIPAA policies.
Want to read the full alert and receive alert emails?