What Does OCR’s Lowering of Maximum Annual Caps Mean for Covered Entities?

This past Friday, the Office for Civil Rights (OCR) gave notice in the Federal Register that it is lowering the maximum annual caps for all HIPAA culpability tiers, except for the willful neglect without timely correction tier. There has been uncertainty for some time as to whether OCR’s interpretation of the statute was appropriate with regard to the $1.5M annual limit for all culpability levels. By reducing the maximum penalty in cases where a covered entity or a business associate was not aware and despite exercising reasonable diligence would not have known of a violation, took reasonable care, or corrected a violation, OCR is indicating that it views those who are making serious efforts to comply with the regulations in a much better light. This interpretation better aligns with OCR’s stated desire to focus on making sure patient information is protected rather than punishing HIPAA violations.

At the same time, with HITECH now in place for over 10 years, we wonder whether OCR will be taking a more aggressive stance in determining which category a violation belongs. Regardless, this change in enforcement discretion will certainly place more focus on how categories of violations are determined. Whether there will be any additional guidance from OCR on how such determinations are made or whether we get a better understanding of the how the regulations are interpreted as a result of cases ending up in court remains to be seen.

We also wonder if we will see more but smaller civil money penalties (CMPs) and settlements. Right now, only a very small number of total investigations and compliance reviews actually result in a settlement or CMP. With this change in enforcement discretion, we might see an increase in the velocity and volume of settlements and CMPs. We believe this likely if OCR, as discussed below, pushes more cases to settlement or CMP and organizations are quicker to settle or pay a CMP as the amount involved is smaller.

Don’t Be Lulled into a False Sense of Security

Lowering the maximum penalty in the lower tiers now creates additional incentives for covered entities to begin to take action to demonstrate to OCR that they are making efforts to comply with the regulations. Through our own experience working in dozens of OCR investigations, we have witnessed that OCR is more lenient and patient when healthcare organizations have documented plans in place and are making serious efforts to comply with requirements such as enterprise-wide security risk analysis. The lower potential maximum penalties for organizations demonstrating reasonable diligence further reinforces this message.

In contrast to the incentive to do the right thing, which is not new just re-emphasized with this change, organizations might be tempted to spend less on HIPAA compliance efforts as the perceived risk to them is lower. However, organizations should recall that Director Severino recently stated that audit will be used as an enforcement tool. It’s possible that anytime OCR initiates an investigation or compliance review, it will perform an audit, and based on the results of the audit, it will make a determination on the extent of violations and CMP. OCR could do this in a much more efficient and consistent basis relative to the typical process it uses now. This would likely result in OCR finding additional violations that it currently overlooks and an organization looking at lower penalties per violation, but more violations charged.

Right now, the number of cases going to settlement versus CMP is on the order of 16-1. This ratio is driven by the monetary savings of a settlement versus the maximum CMP. In the future, this ratio might switch. I’m reminded of my public defender days when it became clear that one was often better off doing a stint in jail than an extended time on probation. In this case, an organization may very well decide that it is better off paying a relatively nominal CMP versus spending several years under a CAP as part of a settlement.

Today, only a very small percentage of investigations result in a settlement or CAP. In many cases, OCR permits organizations to voluntarily come into compliance with no additional penalty. What is unknown is if OCR will now increase the number of cases it pushes to settlement or CMP. It could easily do this by showing less tolerance in allowing an organization to voluntarily come into compliance following an incident and avoid penalty. The average settlement and CMP dollars might go down as a result of the lower maximum penalties, but the total number of settlements and CMP could go up.

Right now, all we can do is speculate on how this change in maximum annual penalties will play out in the industry. Only time will tell what, if any, impact there is on OCR enforcement practices and the industry’s response. As always, we will keep you updated as the future of HIPAA enforcement comes into better focus. To that end, watch for our upcoming events, webinars, and articles as we continue to examine security and compliance topics in the healthcare industry.

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Potential Oracle Cloud Breach

Potential Oracle Cloud Breach

A significant concern has emerged involving Oracle Cloud services. Reports have surfaced regarding the alleged sale of 6 million records extracted from Oracle Cloud’s Single Sign-On (SSO) and LDAP directories.
Are You Ready For Quantum Day in Healthcare?

Are You Ready For Quantum Day in Healthcare?

From AI-driven diagnostics to wearable smart devices and telehealth breakthroughs, rapid digital transformation drives modern healthcare service delivery. From what was once a tech-resistant industry — and one where many legacy systems still play critical roles in operations — healthcare tech adoption has radically evolved since pre-COVID. With all these breakthroughs and benefits, many covered entities and business associates struggle to keep pace with the increased risk these innovations introduce into the modern healthcare ecosystem. The more technologies, web apps, smart devices, and cloud services your organization adopts, the greater chance of a cyber breach.
Clinical Research Organizations: M&A Goldmine or Data Liability? Why Cybersecurity Must Be on Every Investor’s Radar

Clinical Research Organizations: M&A Goldmine or Data Liability? Why Cybersecurity Must Be on Every Investor’s Radar

The market for clinical trials is experiencing significant momentum in mergers and acquisitions (M&A). Private equity (PE) investment in Clinical Research Organizations (CROs) and Site Management Organizations (SMOs) is being spurred by site consolidation, expansion of specialized services, and technology innovation. These firms are important players in the pipeline of drug development and the best targets for investors who wish to capitalize on healthcare innovation.

Connect
With Us