This past Friday, the Office for Civil Rights (OCR) gave notice in the Federal Register that it is lowering the maximum annual caps for all HIPAA culpability tiers, except for the willful neglect without timely correction tier. There has been uncertainty for some time as to whether OCR’s interpretation of the statute was appropriate with regard to the $1.5M annual limit for all culpability levels. By reducing the maximum penalty in cases where a covered entity or a business associate was not aware and despite exercising reasonable diligence would not have known of a violation, took reasonable care, or corrected a violation, OCR is indicating that it views those who are making serious efforts to comply with the regulations in a much better light. This interpretation better aligns with OCR’s stated desire to focus on making sure patient information is protected rather than punishing HIPAA violations.
At the same time, with HITECH now in place for over 10 years, we wonder whether OCR will be taking a more aggressive stance in determining which category a violation belongs. Regardless, this change in enforcement discretion will certainly place more focus on how categories of violations are determined. Whether there will be any additional guidance from OCR on how such determinations are made or whether we get a better understanding of the how the regulations are interpreted as a result of cases ending up in court remains to be seen.
We also wonder if we will see more but smaller civil money penalties (CMPs) and settlements. Right now, only a very small number of total investigations and compliance reviews actually result in a settlement or CMP. With this change in enforcement discretion, we might see an increase in the velocity and volume of settlements and CMPs. We believe this likely if OCR, as discussed below, pushes more cases to settlement or CMP and organizations are quicker to settle or pay a CMP as the amount involved is smaller.
Don’t Be Lulled into a False Sense of Security
Lowering the maximum penalty in the lower tiers now creates additional incentives for covered entities to begin to take action to demonstrate to OCR that they are making efforts to comply with the regulations. Through our own experience working in dozens of OCR investigations, we have witnessed that OCR is more lenient and patient when healthcare organizations have documented plans in place and are making serious efforts to comply with requirements such as enterprise-wide security risk analysis. The lower potential maximum penalties for organizations demonstrating reasonable diligence further reinforces this message.
In contrast to the incentive to do the right thing, which is not new just re-emphasized with this change, organizations might be tempted to spend less on HIPAA compliance efforts as the perceived risk to them is lower. However, organizations should recall that Director Severino recently stated that audit will be used as an enforcement tool. It’s possible that anytime OCR initiates an investigation or compliance review, it will perform an audit, and based on the results of the audit, it will make a determination on the extent of violations and CMP. OCR could do this in a much more efficient and consistent basis relative to the typical process it uses now. This would likely result in OCR finding additional violations that it currently overlooks and an organization looking at lower penalties per violation, but more violations charged.
Right now, the number of cases going to settlement versus CMP is on the order of 16-1. This ratio is driven by the monetary savings of a settlement versus the maximum CMP. In the future, this ratio might switch. I’m reminded of my public defender days when it became clear that one was often better off doing a stint in jail than an extended time on probation. In this case, an organization may very well decide that it is better off paying a relatively nominal CMP versus spending several years under a CAP as part of a settlement.
Today, only a very small percentage of investigations result in a settlement or CAP. In many cases, OCR permits organizations to voluntarily come into compliance with no additional penalty. What is unknown is if OCR will now increase the number of cases it pushes to settlement or CMP. It could easily do this by showing less tolerance in allowing an organization to voluntarily come into compliance following an incident and avoid penalty. The average settlement and CMP dollars might go down as a result of the lower maximum penalties, but the total number of settlements and CMP could go up.
Right now, all we can do is speculate on how this change in maximum annual penalties will play out in the industry. Only time will tell what, if any, impact there is on OCR enforcement practices and the industry’s response. As always, we will keep you updated as the future of HIPAA enforcement comes into better focus. To that end, watch for our upcoming events, webinars, and articles as we continue to examine security and compliance topics in the healthcare industry.
Contact Clearwater with your questions and concerns at firstname.lastname@example.org.
Click here to learn about Clearwater OCR Enforcement Advisory Services
Jon Moore is an experienced professional with a background in privacy and security law, technology and healthcare. During an eight-year tenure with PricewaterhouseCoopers (PwC), Moore served in multiple roles. He was a leader of the Federal Healthcare Practice, Federal Practice IT Operational Leader, and a member of the Federal Practice’s Operational Leadership Team. Among the major federal clients supported by Moore and his engagements are the National Institute of Standards and Technology (NIST), National Institutes of Health (NIH), Indian Health Service (IHS), Department of Health and Human Services (HHS), U.S. Nuclear Regulatory Commission (NRC), Environmental Protection Agency (EPA), and Administration for Children and Families (ACF).
Moore holds a BA in Economics from Haverford College, a law degree from Penn State University’s Dickinson Law, and an MS in Electronic Commerce from Carnegie Mellon’s School of Computer Science and Tepper School of Business.