On May 6, 2019, Thora Johnson was quoted in Report on Medicare Compliance regarding the decision by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights to slash the maximum fines it will levy for some Health Insurance Portability and Accountability Act (HIPAA) violations.
According to the article, covered entities can be fined $1.5 million only for violations that are described as “willful neglect, not corrected.” Until now, covered entities faced the identical annual cap, $1.5 million, for repeated instances of the same HIPAA violations regardless of their level of culpability, under the Health Information Technology for Economic and Clinical Health (HITECH) Act. However, HHS didn’t revise the minimum or maximum for per-violation fines.
It’s surprising that HHS would reduce the cap when cyber threats loom large, and menacingly, over most organizations, and just four months after HHS released guidelines, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, highlighting the threats, said Johnson. “It seems out of step with what’s going on at the state level and other federal agencies like the Food and Drug Administration,” Johnson said. “I didn’t see this one coming.”