HIPAA Breach Violations Now Come with Harsher Penalties By Sam Khan, Deputy Editor
I
nternal auditors can play a key role in ensuring that universities comply with the new Health Insurance Portability and Accountability Act (HIPAA) rules. For those universities that handle protected health information (PHI), the cost of noncompliance now comes with harsher penalties.
With the most recent modifications to the HIPAA rules in effect, also known as the final omnibus rule, the government’s enforcement capabilities have been strengthened by allowing for more severe penalties around breaches of unsecured PHI. The final omnibus rule was issued in January 2013; however, enforcement did not begin until Sept. 23, “The final omnibus rule marks 2013. the most sweeping changes to
Leon Rodriguez, director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), stated in a press release, “The the HIPAA Privacy and Security final omnibus rule marks the most sweeping changes to the HIPAA Privacy Rules since they were first and Security Rules since they were first implemented.” He added that the changes, “not only greatly enhance a patient’s privacy rights and protections, but implemented.” also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider or one of their business associates.” The final rule expands many of the requirements to business associates of entities that receive PHI, such as contractors and subcontractors. With business associates now accountable in complying with the HIPAA Security Rule, Rodriguez expects that the money collected related to HIPAA violations will increase significantly. Some of the largest breaches reported to HHS have involved business associates. For many years HIPAA’s enforcement capability was considered weak, which resulted in few prosecutions. It was not until 2006 that HHS issued the enforcement rule, which established monetary civil penalties for violating HIPAA rules and procedures. The rule also set parameters for investigations and hearings for HIPAA violations. Later, in 2009, HHS implemented a section of the Health Information Technology for Economic and Clinical Health (HITECH) Act that required HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI. ABOUT THE AUTHOR
Sam Khan is the Deputy Editor of College & University Auditor. He works for the Oregon University System as a staff auditor. He has a Bachelor of Science Degree in Journalism from the University of Oregon and a Post-Baccalaureate Accounting Certificate from Oregon State University. He recently passed the Certified Information Systems Auditor exam. He can be reached at sam_khan@ous.edu
Before the final rule was issued in 2013, the maximum penalty for each violation was $100 with an aggregate penalty of $25,000 per year for each violation. To date, using this structure, HHS has collected $15.3 million relating to HIPAA violations and settlements. The final rule increases fines for civil penalties and now includes a tiered penalty structure. Penalties for noncompliance are based on the level of negligence with a maximum penalty of $1.5 million per violation. Penalties per violation range from: • $100 to $50,000 – when the covered entity or business associate is unaware of the violation
and would not have known of the violation by exercising reasonable due diligence. • $1,000 to $50,000 – when reasonable cause leads to a violation. • $10,000 to $50,000 – when a violation of willful neglect is corrected within 30 days of
discovery. 21 COLLEGE & UNIVERSITY AUDITOR