HHS Announces Reduction in Maximum Penalties For HIPAA Violations
Signaling a dramatic about-face to its penalty assessments in recent years, HHS has just announced a new interim policy to reduce maximum penalties. In what can be seen as enormous relief to healthcare entities and others subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), on April 23, 2019,[1] the Federal Department of Health & Human Services (HHS) invoked its discretionary authority and issued a Notice of Enforcement Discretion establishing an interim penalty structure for its assessment of Civil Money Penalties (CMPs) for violations of HIPAA.
When first enacted in 1996, HIPAA and the accompanying Regulations issued by HHS called for a single-tiered penalty structure with a per-violation cap of $100 and an annual cap of $25,000. However, in 2009, the HITECH amendments to HIPAA set forth a new tiered structure for minimum and maximum CMPs that varied based upon the level of culpability, which ranged from a $100 per violation CMP with a maximum annual cap of $25,000 for violations that were not done knowingly to a $50,000 per violation CMP with a maximum annual cap of $1.5M for violations that were due to uncorrected willful neglect.
In an attempt to reflect the changes made to the penalty structure under HITECH, HHS modified the HIPAA Regulations in October of 2009[2] and again in January of 2013,[3] creating the current tiered structure that increases the maximum penalty per violation as well as the annual maximum CMP. In doing so, as critics of the 2013 Omnibus Rule argued, HHS appears to have misinterpreted the mandates of HITECH, opting to create a tiered system that did not follow HITECH’s directive.[4] Instead, under the 2013 Omnibus Rules, HHS created a 4-tiered system that adopted the minimum levels set forth in HITECH, ranging from $100 to $50,000 per violation depending on culpability, with an annual cap of $1.5M for all culpability levels.
Recognizing the error in the current Regulation’s penalty structure, HHS’s Notice effectuates an interim policy directive for all violations that more closely tracks the HITECH model.
Under the Notice, and until further notice, HHS will be applying the following interim penalty tier structure to all HIPAA violations:
Culpability | Minimum Penalty/Violation | Maximum Penalty/Violation | Annual Limit |
No Knowledge | $100 | $50,000 | $25,000 |
Reasonable Cause | $1,000 | $50,000 | $100,000 |
Willful Neglect – Corrected | $10,000 | $50,000 | $250,000 |
Willful Neglect – Not Corrected | $50,000 | $50,000 | $1,500,000 |
HHS anticipates revisions to the current Regulations will be forthcoming, but has issued the new structure until such time as formal rulemaking can be completed. Given HHS’s recent Request for Information issued on December 14, 2018 seeking comments on the HIPAA privacy and security Regulations and, more specifically, how HHS should amend them to foster value-based health care and coordinated care among individuals and covered entities while still protecting the individual’s privacy rights, the HIPAA Rules will likely see another sweeping change in the near future.
Debra Geroux, CHC, CHPC
248.258.2603
geroux@butzel.com
[1] Publication date of the Notice is April 30, 2019. See: https://federalregister.gov/d/2019-08530.
[2] HHS Interim Final Rule, HIPAA Administrative Simplification: Enforcement, 74 FR 56123 (Oct. 30, 2009).
[3] Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule, 78 FR 5566 (Jan. 25, 2013)(the “HIPAA Omnibus Rule”).
[4] 78 FR 5583.