May 1, 2019

HHS lowers HIPAA annual upper limits to better reflect text of HITECH Act

The Department of Health & Human Services (“HHS”) has issued a Notification of Enforcement Discretion for the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) changing the cumulative annual civil money penalties (“CMPs” or “penalties”) for each of the four penalty tiers available for violations under HIPAA.

The HITECH Act’s current tier structure increases in penalty amount based on the level of culpability associated with the violation:

(1) the person did not know, or did not have reasonable belief to know, that the person violated the provision;

(2)  the violation was due to reasonable cause;

(3) the violation was due to willful neglect, but it was timely corrected; and

(4) the violation was due to willful neglect and was not timely corrected. Therefore, organizations will be penalized much more for deliberately violating HIPPA requirements.

The 2013 HHS “Enforcement Rule” increases the minimum penalty based on level of culpability, but the penalty structure applies the same annual limit of $1.5 million regardless of an organization’s level of fault (see table below).

Culpability
Minimum Penalty/
Violation
Maximum Penalty/
Violation
Annual Limit
Tier 1
No Knowledge; no reasonable belief to know
$100
$50,000
$1,500,000
Tier 2
Reasonable Cause
$1,000
$50,000
$1,500,000
Tier 3
Willful Neglect; but timely corrected
$10,000
$50,000
$1,500,000
Tier 4
Willful Neglect; not timely corrected
$50,000
$50,000
$1,500,000

Concern was expressed regarding the same annual limit for each level of culpability as inconsistent with the HITECH Act’s language, and upon further review, HHS has now concluded that the  “better reading” of the Act is to reduce cumulative annual penalty limits for Tiers 1, 2, and 3.

The HHS plans to use these new limits indefinitely and engage in further rulemaking to implement them.

Culpability
Minimum Penalty/
Violation
Maximum Penalty/
Violation
Annual Limit
Tier 1
No Knowledge; no reasonable belief to know
$100
$50,000
$25,000
Tier 2
Reasonable Cause
$1,000
$50,000
$100,000
Tier 3
Willful Neglect; but timely corrected
$10,000
$50,000
$250,000
Tier 4
Willful Neglect; not timely corrected
$50,000
$50,000
$1,500,000

Although organizations complying with HIPAA requirements will face lesser penalties than the previous penalty structure, HIPAA compliance is more vital than ever. In 2018, the department’s Office for Civil Rights (“OCR”) hit a new record in HIPPA enforcement totaling $28.7 million – 22% higher than the previous record of $23.5 million in 2016.

The information and content contained in this blog post are for general informational purposes only, and does not, and is not intended to, constitute legal advice.

Browse by Category 401(k)Health & Welfare