Health Information Compliance Alert

Civil Monetary Penalties:

Get the Scoop on HIPAA Penalty Adjustments

Warning: HHS’ penalty numbers went into effect on Nov. 15.

If the sting of inflation is hurting on your practice budget, we’ve got more bad news. The feds just upped the HIPAA penalty amounts — and the numbers aren’t pretty.

Update: On Nov. 15, the Department of Health and Human Services (HHS) published a final rule in the Federal Register, which adjusts amounts under HIPAA’s four-tiered penalty structure. The rule aligns with provisions previously outlined in a Sept. 6, 2016 interim final rule and also offers the mandated annual update of the amounts as codified in the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.

Reminder: “In 2019, HHS exercised its discretionary authority and issued guidance that lowered the calendar year maximums that it would enforce to $25,000 for Tier 1 violations, $100,000 for Tier 2 violations, and $250,000 for Tier 3 violations (all subject to indexing for inflation),” explains Atlanta-based attorney Carlton Pilger with law firm Fisher & Phillips LLP in online legal analysis.

The civil monetary penalty (CMP) update does show a higher annual cap amount, but “we expect OCR will continue to exercise its discretion and assess the lower amounts for violations within in the first three tiers,” Pilger adds.

Pocket This Handy Penalty Chart

The HHS Office for Civil Rights (OCR) breaks down HIPAA breaches into a four-tier penalty structure. The categories range in severity and go from the lowest level, no knowledge of the HIPAA breach at Tier 1, to a more extreme breach at the highest level with the covered entity (CE) or business associate (BA) willfully ignoring and refusing to correct the breach at Tier 4. Check out this breakdown of the inflation adjustment to CMPs, which includes the 2020 Calendar Year Cap for comparison:

Data for 45 CFR 160.404 from Table 1 of “Adjustment of Civil Monetary Penalties for Inflation and the Annual Civil Monetary Penalties Inflation Adjustment for 2021” final rule at www.govinfo.gov/content/pkg/FR-2021-11-15/pdf/2021-24672.pdf.

Know These Other HIPAA CMP Changes

The final rule also addresses other HIPAA-related penalties, too. For example, the penalty for violation of the confidentiality provision of the Patient Safety and Quality Improvement Act (PSQIA), which aims to improve patient safety by encouraging providers to identify and report medical errors, increased from $12,919 in 2020 to $13,072 in 2021.

And even though the fine is small, OCR can still hit providers with CMPs for HIPAA administrative simplification violations that happened before Feb. 18, 2009, the rule suggests. That CMP amount for these HIPAA violations that occurred before that 2009 date jumped from $64 in 2020 to $162 in 2021.

Bottom line: With CMPs increasing, you should focus your 2022 HIPAA compliance planning on risk assessment and management, experts advise. Analyzing your practice risks pre-violation can help you cut costs down the line. Why? It’s a whole lot cheaper to nip your HIPAA risks in the bud before they become major violations that carry significant penalties.

“If an organization does not do a sufficient job of addressing the rules, an incomplete compliance effort, such as ignoring repeated recommendations to reduce risks, can easily be seen as a more culpable situation,” warns Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC in Charlotte, Vermont. This puts “the entity into a higher penalty bracket, and the distinction[s] between penalty levels may provide a greater opportunity for HHS to reasonably use the ‘willful neglect’ levels of penalty.”

Resource: Find the CMP adjustment rule, which became effective on Nov. 15, at www.govinfo.gov/content/pkg/FR-2021-11-15/pdf/2021-24672.pdf.