There are many articles out there claiming that the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) has issued its largest HIPAA fine to date, a total of $4.8 million to New York Presbyterian Hospital and Columbia University Medical Center. The story is inaccurate but raises interesting points when it comes to HIPAA monetary penalties.
HIPAA Breach Penalties Capped at $1.5 Million?
One of the most often quoted figures when it comes to HIPAA breaches is $1.5 million, as in the “maximum penalty amount of $1.5 million for all violations of an identical provision” (section §160.404 of the Final Rule). This is generally interpreted as $1.5 million in fines is the limit when it comes to HIPAA data breaches.
Which must lend the question: how did New York Presbyterian and Columbia University manage to get themselves fined $4.8 million? Even if the penalty fell equally on both entities (it didn’t. Columbia was fined the “expected” $1.5 million, NY Presbyterian the remaining $3.3 million), you’d imagine that $3 million is the most that could be assessed. Where is the remaining $1.8 million coming from?
NY Presbyterian’s resolution agreement with OCR does not offer clues:
NYP agrees to pay HHS the amount of three million three hundred thousand dollars ($3,300,000.00) (“Resolution Amount”). NYP agrees to pay the Resolution Amount on the Effective Date of this Agreement as defined in paragraph 14 by automated clearing house transaction pursuant to written instructions to be provided by HHS.
Many have noticed, however, that NY Presbyterian conceded to more instances of non-compliant conduct than Columbia University. This leads me to believe that NY Presbyterian must have broken multiple rules via the one data breach. From “Mandated Benefits: 2014 Compliance Guide” by The Balser Group:
The final Enforcement Rule indicates that one act of noncompliance that violates more than one subpart of the [HIPAA] administrative simplification rules will be treated as separate, multiple violations. So, for example, if a covered entity re-sells its used computers without scrubbing the hard drives that contain protected health information, this act may violate several separate legal obligations under the security and privacy rules. In this scenario, the covered entity will have multiple violations and could be fined up to the maximum for each separate violation.
Whatever the reason may be for NY Presbyterian paying $3.3 million, the lesson here is that $1.5 million is not the limit when it comes to HIPAA fines. If someone out there is performing a financial risk analysis based on a theoretical cap of $1.5 million to decide whether, say, all laptops in their organization should be protected with HIPAA encryption software, your job just became harder.
There is Another Bigger HIPAA Fine
All of this hullabaloo about NYP-CU being the largest HIPAA fine is just hot air. The honor goes to Cignet, which was fined $4.3 million by OCR in 2011. Of the total, $1.3 million was for denying patients access to their own files, which is a HIPAA violation. A further $3 million was levied for not cooperating with OCR’s subsequent investigation.
Yes, the total amount involved is less than the $4.5 million for NYP-CU. But, the entirety of the $4.3 million falls on one covered entity. NYP-CU involves two. I mean, there’s a reason why there are two resolution agreements for NYP-CU.
Related Articles and Sites: