Who implements and collects fines for HIPPA breaches?

The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) has the authority to enforce HIPAA regulations, investigate breaches, and levy fines for non-compliance. Here’s how this process works:

Authority for Implementing and Collecting Fines

1. Office for Civil Rights (OCR):

   • The OCR is responsible for investigating complaints, conducting compliance reviews, and initiating audits to ensure adherence to HIPAA rules.
   • If violations are identified, the OCR has the authority to impose civil monetary penalties (CMPs) on covered entities and business associates.
   • The OCR collects these fines, which are deposited into the HHS OCR Enforcement Fund to support further enforcement activities and compliance initiatives.

2. State Attorneys General (for Certain Cases):

   • State Attorneys General are also authorized under the HITECH Act to bring civil actions on behalf of residents who are affected by HIPAA violations.
   • They may seek damages, including fines, and use the funds to support state healthcare privacy initiatives.

Penalty Structure

Fines for HIPAA violations are categorized based on the level of culpability, with penalties escalating for willful neglect or lack of corrective action. The OCR uses the following tiered penalty structure:

1. Tier 1: Entity was unaware of the violation and could not have reasonably avoided it.\n - Penalty: $100 - $50,000 per violation.\n - Annual maximum: $25,000 per identical provision.

2. Tier 2: Violation due to reasonable cause but not willful neglect.\n - Penalty: $1,000 - $50,000 per violation.\n - Annual maximum: $100,000 per identical provision.

3. Tier 3: Violation due to willful neglect, but corrective action was taken within the required time.\n - Penalty: $10,000 - $50,000 per violation.\n - Annual maximum: $250,000 per identical provision.

4. Tier 4: Violation due to willful neglect, and no corrective action was taken.\n - Penalty: $50,000 per violation.\n - Annual maximum: $1.5 million.

Factors Influencing Penalty Amounts

The OCR considers several factors when determining the penalty amount:

• Nature and extent of the violation (e.g., number of individuals affected, duration of the violation).
• The financial condition of the violating entity.
• Whether the entity demonstrated a good-faith effort to comply or acted in willful neglect.
• The impact of the breach on individuals, such as harm caused by the unauthorized disclosure of PHI.

Examples of High-Profile Penalties

1. Anthem, Inc. (2018): Paid a record $16 million settlement after a data breach exposed the ePHI of nearly 79 million individuals.
2. Fresenius Medical Care (2018): Paid $3.5 million for multiple breaches due to insufficient risk management and lack of encryption.
3. Cottage Health (2017): Paid $2 million for failing to secure ePHI on their servers, which resulted in patient records being accessible online.

Summary

The OCR has primary authority for implementing fines, collecting penalties, and enforcing HIPAA compliance. The severity of penalties reflects the degree of negligence and the steps taken (or not taken) to mitigate violations. Ensuring compliance is crucial for avoiding these financial and reputational consequences.

Related Reading:

Who is Responsible for Maintaining and Updating HIPAA?: The U.S. Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) oversee HIPAA compliance, updates, and breach reporting enforcement.

MSPs: Key Partners in Ensuring HIPAA Compliance: MSPs help healthcare entities comply with HIPAA by securing PHI, monitoring risks, and ensuring breach response readiness. Learn how MSPs simplify compliance.