50 Journal of Regulatory Compliance Vol. I
in cases where a breach affects more than 500 individuals. 29
Further, the HITECH Act enforcement rule outlines a four-tiered
framework for the imposition of penalties: ( 1) if the entity “did not know” of
the violation, penalties range from $100 to $50,000 per violation; 30 ( 2) if the
entity had “reasonable cause” to know of the violation, penalties range from
$1,000 to $50,000 per violation; 31 ( 3) if the entity acted with “willful neglect”
but timely corrected the violation, penalties range from $10,000 to $50,000
per violation; 32 and ( 4) if the entity acted with “willful neglect” and did not
correct the violation, a $50,000 per violation penalty will be imposed. 33 If
multiple violations of an identical provision— i.e., the technical safeguards
required under 45 C.F.R. § 164.312 (discussed below)—occur within a
calendar year, the per-violation penalties are capped at $1.5 million. 34
However, given the multitude of provisions within the Privacy Rule, Security
Rule, and Breach Notification Rule that could be potentially violated,
organizations are at substantial risk of potentially crippling administrative
penalties. 35 Further, the Department of Justice (“DOJ”) has the power to
prosecute criminal cases against covered entities that “knowingly” violated
HIPAA, 36 although this power is rarely exercised.
The new Breach Notification Rule and penalties framework can have a
profound impact on a company’s business operations and general reputation,
particularly in the case of a mass cyber-attack that exposes potentially
millions of patient records (easily passing the public disclosure threshold).
The following discusses the current HIPAA data security rules that serve as
guiderails for the healthcare industry’s cybersecurity practices.
b. The HIPAA Security Rule
The HIPAA Security Rule provides some flexibility so the fast-moving
healthcare delivery environment, particularly with regard to technology, does
not outpace rigid and narrowly-tailored legislation or rules, thus requiring a
constant reworking of the legal landscape. 37 Such a scenario is very
problematic in the highly regulated healthcare industry, where government
29. See 45 C.F.R. §§ 164.400–164.414 (2013).
30. See 45 C.F.R. § 160.404 (2013).
31. See id.
32. See id.
33. See id.
35. For example, if an entity experienced a cybersecurity breach and failed to report the
breach in violation of the Breach Notification Rule, and a subsequent enforcement action
revealed a violation of the technical safeguards provisions of the Security Rule, a $50,000
maximum penalty would apply to both rule violations for every individuals affected.
36. See 42 U.S. C. § 1320d- 6(a) (2010).
37. Gnatt, supra note 11, at 243.