HHS to Cap HIPAA Fines Based on ‘Culpability’
May 2019 ~
The Department of Health and Human Services (HHS), published a Notice of Enforcement Discretion Regarding HIPAA Civil Monetary Penalties, updating the maximum amount it will penalize providers, health plans and business associates for HIPAA violations.
The update changes how HHS will manage “regulations concerning the assessment of Civil Money Penalties (CMPs) under HIPAA” and will apply a different cumulative annual CMP limit for each of the four penalties tiers in the Health Information Technology for Economic and Clinical Health (HITECH) Act.
According to HHS, the HITECH Act’s penalty system included “apparently inconsistent language”, which lead to confusion over the maximum penalty an organization could be fined per year that a violation persisted. As part of a final rule, HHS set a static upper limit of $1.5 million per year that an issue was present, regardless of tier.
“Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits” based on the level of culpability, HHS states in the notice.
Under the new guidance, violations will be penalized under one of four tiers, with increasing penalty tiers based on the level of culpability associated with the violation:
1-The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
Minimum Penalty$100; Maximum Penalty $50,000; Annual Limit $1,500,000
2-The violation was due to reasonable cause, and not willful neglect;
Minimum Penalty $1,000; Maximum Penalty $50,000; Annual Limit $1,500,000
3-The violation was due to willful neglect that is timely corrected; and
Minimum Penalty$10,000; Maximum Penalty $50,000; Annual Limit $1,500,000
4-The violation was due to willful neglect that is not timely corrected.
Minimum Penalty$50,000; Maximum Penalty $50,000; Annual Limit $1,500,000
Last year, HHS collected a record-breaking, all-time high of $28.7 million in penalty fines from HIPAA-covered entities and business associates, surpassing the previous record by 22%.
According to HHS guidance, the new penalty tier will be used until further notice and the administration said it expects future rulemaking to revise the penalty tiers “to better reflect the text of the HITECH Act.”