BLOG POST: Cliff's Notes | The OCR's New Penalty Structure


Blog Post by CORL Technologies CEO Cliff Baker

Cliff's Notes | The OCR's New Penalty StructureThe Office of Civil Rights (OCR) has revised and issued a new penalty structure for HIPAA violations. The bottom line of this new structure is that the OCR is taking a covered entities’ security posture into account in deciding when and how much to levy in fines for HIPAA violations. 

Vendor security risk management programs play a key role in demonstrating an organization’s proactive measures to reduce data security risk. By providing increased visibility and remediation work to reduce risk across the covered entities’ supply chain, the OCR will view this favorably in the event a HIPAA breach or audit occurs. 

The OCR released enforcement updates in early 2019 in which current trends were analyzed and a new Civil Monetary Penalty (CMP) structure was revealed. These changes to the CMP structure signal guidelines for organizations to adopt data security practices that will reduce the likelihood of a data security breach or financial losses resulting from compliance violations. 

The OCR said its focus going forward will be on auditing organizations that do not report any breaches. Ensuring that appropriate security and privacy requirements are in place within Business Associate Agreements (BAA) was also noted by the OCR as one of their inspection areas. 

Thus, covered entities with comprehensive data security programs, including visibility into their vendor and business associate data security risks and remediation efforts, will face the least financial risk under this new structure. 

The New CMP Structure | At a Glance 
The new structure for HIPAA violation Civil Monetary Penalties (CMP) was announced by the OCR on April 26, 2019. 

The following changes to annual limitations for identical violations were announced: 

  • TIER 1 | No Knowledge - Annual limit reduced from $1.5M to $25,000 
  • TIER 2 | Reasonable Cause - Annual limit reduced from $1.5M to $100,000 
  • TIER 3 | Willful Neglect - Corrected - Annual limit reduced from $1.5m to $250,000
  • TIER 4 | Willful Neglect - Not Corrected - Annual limit unchanged at $1.5M 

The lowest penalty level, titled “No Knowledge” would infer that even though the organization had ample security controls in place, there was still no indicator or alert within the organization of the breached data. The organization would be considered to have acted in good faith in providing data security safeguards, including a working program for vendor data security. Obviously, this is where every organization would like to be... and CORL can help get you there. 

Reducing Financial Risk with VSRM 
The OCR shift from across-the-board punitive action and to more graded approach appears to be designed to encourage and reward businesses with proactive data security programs operating within the healthcare industry. 

Covered entities that lack the visibility into their vendor and business associate security practices (i.e. vendor security risk assessment) will be in a weak position to properly analyze their vendor supply chain. This new structure will benefit the organizations that take an active approach to vendor risk management. 

Partnering with you to bolster your risk reduction efforts throughout your vendor network is our primary purpose. Contact me or any CORL team member directly and let us know your concerns and questions about meeting HIPAA compliance standards. We love to hear from you.