Health and Human Services lowers fines for HIPAA violations

The Department of Health and Human Services reduced its fines for violations of HIPAA — the law requiring health care industries to protect customer data, according to a notice this week in the Federal Register.

Driving the news: The new rules reduce a maximum fine of $1.5 million to a maximum fine of $250,000.

• HHS claims the changes in fines reflect a better reading of the law.
• The law is ambiguous and poorly written, supporting both the new and old readings of the law, said Jon Moore, senior vice president and chief risk officer at Clearwater Compliance, a company that helps customers comply with HIPAA.

Details: The changes in fees may fundamentally alter how companies approach compliance fines, said Moore.

• Investigations into HIPAA fines can take years.
• "Most organizations who are investigated don’t end up paying penalties. Or they settle and enter a corrective action plan," he said. "But that might change. An organization may say 'I’d rather pay [the lowest-tier fine of] $25,000 than be investigated for years.'"

What to watch: It's hard to say whether the changes will increase or decrease compliance with the law. It's now less costly not to comply. But by decreasing the penalty for complying with the law but still suffering a breach, the changes also make complying more attractive.

Go deeper: Alexa adds new functionalities to comply with HIPAA