Cyber security breaches are constantly in the news. Hundreds, if not thousands, occur across every kind of industry each year. Healthcare has consistently been a prime target for cyber criminals to gain access to personal health information (PHI) which can be sold for high profit on the dark web. In fact, 2018 marked an all-time high of $28.7 million in fines from HIPAA entities and their business associates. However, not all breaches are equal, which influenced the new HITECH penalty tiers to be developed.
The problem with HITECH
In an effort to encourage healthcare organizations to better protect their patients’ information the Health Information Technology for Economic and Clinical Health (HITECH) Act was instituted, though the wording of the original bill left much open to interpretation. An element of the Act created tiers for HIPAA and breach violations. However, HHS admitted there was inconsistent language in the HITECH Act about the penalty scheme. Due to this, the penalty cap for every tier was set at $1.5 million. Commenters expressed concerns that the “penalty scheme is inconsistent with the HITECH Act’s establishment of different tiers based on culpability.”
What is the culpability?
Webster defines it as the “guilt or blame that is deserved”. HITECH penalty tiers define it like this:
- the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
- the violation was due to reasonable cause, and not willful neglect;
- the violation was due to willful neglect that is timely corrected; and
- the violation was due to willful neglect that is not timely corrected.
New HITECH Penalty tiers
Under the new payment scheme, fines will increase based on which tier your breach falls into:
|Culpability||Min Penalty/ Violation||Max Penalty/ Violation||Annual Limit|
|Willful Neglect – Corrected||$10,000||$50,000||$250,000|
|Willful Neglect – Not Corrected||$50,000||$50,000||$1,500,000|
This is all great and nice to know, but what does this look like in practice? It might look something like this:
- You have completed a wholistic Security Risk Assessment and have made efforts to improve your cyber security. Even with reasonable policies and procedures in place, a breach still occurred.
- You have certain elements of security in place, but a breach got through by a reasonable cause, such as an employee falling for a phishing scheme.
- You made no effort to protect your cyber security, but worked to correct the problem after a breach.
- You made no effort to protect your cyber security and did not attempt to correct it after a breach.
If you read the HHS OCR’s audit summary letters you can conclude that doing number one will keep you from being fined $50,000 for willful neglect regarding a risk assessment, but option four will land you a $50,000 fine.
Which tier best applies to you? Do you even know where to start?
Our Cyber Quick Check can have you on the path to a better understanding of your current cyber security in less than 2 minutes. Know you need to up your security game? Find a package that is right for you.