Businesses that are diligent in meeting HIPAA privacy and security requirements may be fined less than those that willfully neglect and ignore compliance issues. The U.S. Department of Health and Human Services recently implemented a tiered system of fines that puts businesses’ security practices in the spotlight and limits penalties for companies that exercise reasonable care. Annual limits now range from $25,000 to $1.5 million instead of the instead of the $1.5 million limit in place since 2013. Per-occurrence penalties remain the same. The chart below shows the range of penalties that may be imposed at each level under the 2013 rule and under the 2019 notice.
 Note that HHS is required to annually adjust its CMPs for inflation pursuant to the cost-of-living formula set forth in the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. This chart does not reflect these annual adjustments.
The decrease in penalty limits is welcomed news to companies, but it’s still critical for businesses to stay attentive to possible HIPAA risks. Two recent settlement agreements announced by HHS’s Office for Civil Rights (OCR) highlight this concern.
Touchstone Medical Imaging agreed to pay $3 million and adopt a corrective action plan to settle alleged violations of the HIPAA Security and Breach Notification Rule. The settlement stems from a 2014 incident in which Touchstone was told that patients’ protected health information was accessible through one of its servers. Despite taking the server offline, the patient data was indexed by search engines and remained on the internet. Touchstone initially denied that any information had been exposed before later admitting that more than 300,000 patients’ data was accessed, including names, birth dates, social security numbers and addresses.
The Office for Civil Rights found that Touchstone failed to investigate the data breach until months after it was first notified. That delay violated the Breach Notification Rule for alerting patients, the media and OCR of security incidents in a set timeframe. OCR also concluded that Touchstone did not conduct an accurate analysis into potential security threats and that the company did not have business associate agreements with its IT support vendor and third-part data center.
In another case, Medical Informatics Engineering, Inc. paid $100,000 after hackers accessed patient data of 3.5 million people using a stolen user ID and password. As with Touchstone, OCR found that the electronics health records company failed to conduct an accurate risk analysis prior to the breach.
HHS also issued a new Fact Sheet on Direct Liability of Business Associates under HIPAA on May 24. The new fact sheet may be viewed on the HHS website.