On April 30, 2019, the United States Department of Health and Human Services (HHS) published a notice of enforcement discretion that lowers most of the annual caps on civil money penalties (CMP). HHS may assess against Covered Entities and Business Associates for violating the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). Specifically, HHS will apply a different cumulative annual CMP limit for each of the four penalty tiers that progressively increases from the first to the fourth penalty tier and maxes out at $1.5 million per violation per year.
Background
The Health Information Technology for Economic and Clinical Health (HITECH) Act established four categories of CMP under HIPAA based on the level of culpability associated with a HIPAA violation. The tiers range from the least amount of culpability to the highest amount of culpability: persons who have no knowledge of a HIPAA violation, persons with reasonable cause to believe a HIPAA violation could occur, persons who engage in willful neglect that a HIPAA violation occurred and timely correct the violation, and persons who engage in willful neglect that a HIPAA violation occurred and do not timely correct the violation. For each tier of culpability, the HITECH Act sets forth a minimum penalty, a maximum penalty, and an annual cap. The current HIPAA regulations, which have been in effect since 2013, contain an annual cap of $1.5 million for each penalty tier. Several commenters on the proposed rule establishing the $1.5 million annual CMP caps expressed concerns that the regulation was inconsistent with the HITECH Act if the annual limit remained the same for each penalty tier and did not increase based on the level of culpability involved in the violation.
Reinterpreting the Annual Caps on CMPs under HITECH
After reviewing the HITECH Act and the regulations implementing the annual CMP caps, the current HHS Office of General Counsel determined that a more sensible reading of the HITECH Act would apply increasing annual caps to each penalty tier. While the minimum and maximum penalties remain unchanged, HHS stated its current belief that Congress only intended the current $1.5 million cap to apply to the penalty tier with the highest level of culpability and changed the annual caps as follows:
TABLE 2—PENALTY TIERS UNDER NOTIFICATION OF ENFORCEMENT DISCRETION
Culpability | Minimum penalty/ violation | Maximum penalty/ violation | Annual limit |
No Knowledge | $100 | $50,000 | $25,000 |
Reasonable Cause | 1,000 | 50,000 | 100,000 |
Willful Neglect—Corrected | 10,000 | 50,000 | 250,000 |
Willful Neglect—Not Corrected | 50,000 | 50,000 | 1,500,000 |
This new HIPAA penalty structure went into effect immediately and will remain in force indefinitely until further notice, and HHS expects to engage in future rulemaking to revise the penalty tiers in the current regulation.
Potential Impact on Covered Entities and Business Associates
As a result of HHS’s reinterpretation of the annual caps on CMP, Covered Entities and Business Associates found to have violated HIPAA could face significantly lower penalties if they are able to prove, at a minimum, that a violation was timely corrected. While the decrease in annual caps for lower level violations could lead to significant lower annual penalties, such caps are still subject to annual adjustment for inflation, and HHS can apply such annual penalties cumulatively for each year that HHS finds a person in violation of HIPAA. Furthermore, in many cases, HIPAA violations involve multiple provisions of the HIPAA rules, which can substantially increase potential CMPs.