PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

A Major Move to Weaken HIPAA

HIPAA Penalties Reduced

Quietly, at the end of April, HIPAA was significantly weakened.  HHS published what sounds like an innocuous notification in the Federal Register: Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties.  This notification is actually an enormous change to the HIPAA penalty structure, a drastic reduction in HIPAA fines.

The existing penalty structure under HIPAA is based on the HITECH Act of 2009, which increased HIPAA’s fines in an attempt to give teeth to HIPAA enforcement.  Since HIPAA began being enforced in 2003 until the HITECH Act, fines had barely been issued despite an enormous amount of HIPAA violations.  HITECH was Congress’s rebuff to this weak enforcement approach.  After HITECH’s more potent penalty structure, HHS finally began issuing fines.  The chart below is how HHS has been interpreting the HITECH penalty framework since the HITECH Act:

HIPAA Penalties Table 1

There were some ambiguities under the HITECH Act as to these penalty tiers, but HHS had long interpreted these tiers according to the above chart.  But now, HHS has suddenly changed its mind and adopted a very different interpretation. Under this new interpretation, the penalty tier limits are now as follows:

HIPAA Penalties Table 2

Notice the new annual limits.  There are severe reductions in the annual limits for nearly every category except for uncorrected willful neglect. This change yanks many of the teeth out of HIPAA enforcement.Teeth Pulling

Continue Reading

HIPAA Whiteboard and HIPAA Interactive Whiteboard

HIPAA Whiteboard

Recently, I created two new HIPAA training resources.

HIPAA Whiteboard

I created a 1-page visual summary of HIPAA, which I call the HIPAA WhiteboardThe idea was to summarize HIPAA in a concise and visually-engaging way.  You can download a PDF handout version here.  We’ve been licensing it to many organizations for training and awareness purposes.

HIPAA Whiteboard - TeachPrivacy HIPAA Training

HIPAA Interactive Whiteboard

I subsequently created a new training module — an interactive version of the HIPAA Whiteboard — the HIPAA Interactive Whiteboard When people click on each topic, the program provides brief narrated background information, presented in a very understandable and memorable way.  Trainees can learn at their own pace.  This program is designed to be very short — it is about 5 minutes long.

It can readily be used on internal websites to raise awareness and teach basic information about HIPAA.  It can also be used in learning management systems.

HIPAA Whiteboard Interactive - TeachPrivacy HIPAA Training

HIPAA Whiteboard Interactive - TeachPrivacy HIPAA Training

Continue Reading

Blogging Highlights 2015: Health Privacy+Security Issues

HIPAA Training

I’ve been going through my blog posts from 2015 to find the ones I most want to highlight.  Here are some selected posts about health privacy and security:

Why HIPAA Matters: Medical ID Theft and the
Human Cost of Health Privacy and Security Incidents

care

Continue Reading

The Most Alarming Fact of the HIPAA Audits

hipaa audits 1

law blog 2

by Daniel J. Solove

Are privacy and security laws being enforced effectively? This post is post #5 of a series called Enforcing Privacy and Security Laws.

Under the Health Insurance Portability and Accountability Act (HIPAA), various organizations can be randomly selected to be audited – even if no complaint has been issued against them and even if there has been no privacy incident or breach.

What the audits thus far have revealed is quite alarming. I’ll discuss more on that later.

Continue Reading

The Brave New World of HIPAA Enforcement

hipaa enforcement

law blog 2

by Daniel J. Solove

Are privacy and security laws being enforced effectively? This post is post #4 of a series called Enforcing Privacy and Security Laws.

hhs logoThe Health Insurance Portability and Accountability Act (HIPAA) regulations govern health information maintained by various entities covered by HIPAA (“covered entities”) and other organizations that receive health information from covered entities when performing functions for them. HIPAA is enforced by the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS). Additionally, state attorneys general (AGs) may enforce HIPAA – only a few federal privacy laws can also be enforced by state AGs.

Continue Reading