New Considerations for Breach PenaltiesHIPAA Omnibus Spells Out More Details on Setting Sanctions
In all the discussion about the HIPAA Omnibus Rule, which was officially published Jan. 25, not much attention has been paid to three new considerations added for determining potential civil monetary penalties following a breach investigation.
The rule, which is effective March 26 and will be enforced beginning Sept. 23, clarifies how the impact of breaches will be considered when the Department of Health and Human Services' Office for Civil Rights determines penalties. This rule applies to breaches involving business associates, as well as covered entities.
Number of Individuals Affected
To help mitigate the potentially larger civil penalties that could occur, organizations must make sure they are effectively addressing information security and privacy compliance.
Before HIPAA Omnibus, the number of individuals affected by a breach was considered when counting the number of violations tied to an incident, but it had not been a consideration for determining civil penalties. HHS explains in the new rule:
"When considering the nature of the violation, the Department intends to consider factors such as the time period during which the violation(s) occurred and the number of individuals affected. Such considerations reflect the nature of the violation, specifically with respect to potential violations that affect a large number of individuals, for example, where disclosure of protected health information in multiple explanation of benefits statements (EOBs) that were mailed to the wrong individuals resulted from one inadequate safeguard but affected a large number of beneficiaries."
"Reputational harm" was added to the list of specific circumstances that can be considered when determining civil monetary penalties. HHS explains why:
"Whether reputational harm is implicated in a HIPAA violation will be a fact-specific inquiry. We emphasize, however, that we do not consider reputational harm to arise solely from the unlawful disclosure of protected health information relating to medical diagnoses that may be considered especially sensitive, such as sexually transmitted infections or mental health disorders. Rather, the facts of the situation will determine whether reputational harm has occurred, such as whether the unlawful disclosure resulted in adverse effects on employment, standing in the community, or personal relationships."
Indications of Non-Compliance
In considering the degree of culpability, the phrase "prior violations" was changed to "indications of noncompliance" in HIPAA omnibus. HHS explains:
"... A covered entity's general history of HIPAA compliance is relevant in determining the amount of a civil money penalty within the penalty range."
This is significant because now a much wider range of compliance activities will be considered, beyond just those that had been formally labeled as violations. When looking at indications of noncompliance, the following are just a few examples of the types of information that could now be reviewed:
- Past breaches;
- Past investigations performed by the HHS;
- Actions related to existing corrective action plans;
- Voluntary corrective compliance actions;
- The entity's own documentation about compliance activities;
- Complaints received about the entity.
HHS emphasized that "a mere complaint does not constitute an indication of noncompliance."
I anticipate the details associated with complaints received will be a factor. For example, if an organization received multiple complaints about the same issue, HHS likely would be more likely to include consideration of those complaints. The topic of the complaint would also be a factor.
Action to Take
To help mitigate the potentially larger civil penalties that could occur, covered entities and business associates must make sure they are effectively addressing information security and privacy compliance and taking adequate steps to prevent breaches. Some actions specific to these new considerations include:
- Review information security and privacy policies and ensure they include directives for keeping a minimum amount of patient data on mobile computing and storage devices.
- Eliminate repositories of PHI that are not necessary to support organizational activities.
- Ensure PHI data inventories are complete and up-to-date. You cannot determine the numbers of individuals affected by a breach unless you have accurate inventories. For example, if a physician loses a laptop but there is no documentation to validate the specific individuals whose PHI was stored on it, then all of the patients the doctor treated will be assumed affected.
- Increase training and ongoing awareness communications about how PHI cannot be posted online, discussed inappropriately with others or be accessed unless there is need based upon job responsibility. Also, offer reminders to follow all information security and privacy policies and procedures.
- Document all training activities and awareness communications.
- Maintain a centralized repository of all compliance-related activities and documentation.
Rebecca Herold is a partner at Compliance Helper and CEO at The Privacy Professor, a consulting firm. She has more than two decades of information privacy, security and compliance experience.