I’d been meaning to post this for a while, but got a little distracted with all the other news. Better late than never. HHS and OCR have changed the penalties associated with a HIPAA violation. You can see the details of the new enforcement discretion here. The notification says that after further review of the HITECH Act, they needed to adjust the penalties associated with a HIPAA violation.
Here’s a look at the HIPAA Penalties before the changes:
And here’s a look at the new HIPAA Penalties:
These seem like good changes to the penalties. As my hacker friend always told me, you can make it hard for someone to breach you, but you can never ensure 100% security. It’s more a matter of making it hard enough to breach your organization so that hackers choose to go and hack someone easier. Of course, with phishing and social hacking, it’s really impossible for any CIO to be confident that they’ll never be breached. That’s why I like the changes to the penalties. Breaches happen to even the best of them.
What do you think of these changes? Are these good? Do you think they’re too easy on those who incur penalties? Will these softer penalties mean that healthcare organizations will worry less about their security? Share your thoughts with us in the comments and on Twitter with @HealthcareScene.