The Department of Health and Human Services (HHS) has issued a new interim fine rule that includes adjustments to the civil monetary penalty amounts for Health Insurance Portability and Accountability Act (HIPAA) violations.
Doctors, chiropractors, dentists and other covered entities are required by law to comply with HIPAA, which consists of the Security Rule, Privacy Rule, and Breach Notification Rule. Failure to comply with any specification set forth in these rules could result in costly fines and/or corrective action. From April 2003 to January 2013, the HHS received more than 91,000 complaints about HIPAA violations. Of those complaints, 22,000 led to enforcement.
HIPAA fines can range from just $100 to more than $1 million, depending on the nature and severity of the violation. One of the largest HIPAA fines to date involved Cignet Health of Maryland for $4.3 million for failure to provide patients with copies of their health information when requested. Fines this large are rare but they do occur. And according to the latest interim rule published by the HHS, you can expect even higher fines in the future.
The Federal Civil Penalties Inflation Act was passed in 2015 with the purpose of adjusting the level of civil monetary penalties to reflect inflation. Under the new interim rule, which accounts for these changes, covered entities and business associates can expect 10.2% higher fines.
Of course, the higher fines only apply to civil monetary penalties, not criminal monetary penalties. In any case, 10.2% is a pretty large increase, and it's something that most doctors and healthcare practitioners probably want to avoid. The new fines apply to penalties under the Privacy Rule or Security Rule.
Covered entities should use this time as an opportunity to review their compliance with HIPAA. Waiting until an audit is a recipe for disaster. If the OCR identifies a violation, it could cost your practice big bucks – about 10% more than previously. The good news is that most violations are easily avoided through internal audits and inspections.
Start by checking to make sure you have the necessary safeguards in place to protect Electronic Protected Health Information (ePHI). Next, go over your business associates agreements (BAA) to ensure they are also compliant with HIPAA.
So, when does the new interim rule take effect? The 10% higher civil monetary penalties are applicable to HIPAA violations that occurred after November 2, 2015.