Are reduced HIPAA fines on the way?
In 2019 we wrote an OCR letter that discussed the possible reduction of HIPAA fines. We were all for it - read about it here - OCR Caps HIPAA FInes.
It looks like OCR is ready to change the annual fee structure. The new caps would be as follows:
- Tier 1 (no knowledge of violation): $100 to $50,000 per violation; capped at $25,000 per year
- Tier 2 (reasonable cause): $1,000 to $50,000 per violation; capped at $100,000 per year
- Tier 3 (willful neglect, corrected): $10,000 to $50,000 per violation: capped at $250,000 per year
- Tier 4 (willful neglect, not corrected): $50,000 per violation; capped at $1.5 million per year
Once again, we welcome this change because, as we said before, the costs incurred by the victim of a breach far exceed the OCR penalties, so they really weren't working as a deterrent, and were instead just adding to an already incredibly expensive experience.
What we hope readers don't think is that the pressure is off to comply with HIPAA or take their cybersecurity investment seriously. We're in an epidemic of breaches caused by sophisticated attackers, novices, internal mistakes, and procedural failures. It was never the penalty that was going to be your most costly component.
Additionally, NIST has just issued a revision of 800-66 that updates best practices for meeting the Security Rule requirements under HIPAA. Basically, while the penalty caps may be reduced, the expectations have increased, and therefore so has the likelihood of being penalized by OCR.
Do not let your guard down. Every healthcare facility in the US is a target, and you must stay vigilant. Recurrent training, reviewing procedures, regular assessments, and network vulnerability tests should be in place. If you need assistance with any of this, we can help.