In April 2019, the Department of Health and Human Services Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties (the Notification). OCR published the Notification to alert the public that OCR is exercising its discretion in assessing Civil Money Penalties under HIPAA as amended by the HITECH Act.
In February 2009, the HITECH Act established four categories for HIPAA violations with increasing penalty tiers based on the level of culpability. It also amended HIPAA by eliminating the prohibition on the penalties for a covered entity if it did not know and with reasonable diligence would not have known of a HIPAA violation. The four categories for HIPAA violations became the following:
-
No Knowledge: The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision
-
Reasonable Cause: The violation was due to reasonable cause, and not willful neglect
-
Willful Neglect—Corrected: The violation was due to willful neglect that is timely corrected
-
Willful Neglect—Not Corrected: The violation was due to willful neglect that is not timely corrected
While the HITECH Act applied four different annual penalty limits (ranging from $25,000 to $1,500,000) based on the level of culpability, in the Interim Final Rule to implement the enhanced penalty provisions of the HITECH Act, OCR applied the highest annual cap of $1.5 million to all violations regardless of the level of culpability (see first table below). OCR provided that applying the highest annual limit for all levels of culpability was “the most logical reading” of the HITECH Act since this was “consistent with Congress’ intent to strengthen enforcement.”
|
Culpability |
Minimum Penalty/Violation |
Maximum Penalty/Violation |
Annual Limit |
|
No Knowledge |
$100 |
$50,000 |
$1,500,000 |
|
Reasonable Cause |
$1,000 |
$50,000 |
$1,500,000 |
|
Willful Neglect—Corrected |
$10,000 |
$50,000 |
$1,500,000 |
|
Willful Neglect—Not Corrected |
$50,000 |
$50,000 |
$1,500,000 |
However, the Notification provides that upon further review OCR has concluded that a “better reading of the HITECH Act” is to apply annual limits based on the level of culpability (see second table below).
|
Culpability |
Minimum Penalty/Violation |
Maximum Penalty/Violation |
Annual Limit |
|
No Knowledge |
$100 |
$50,000 |
$25,000 |
|
Reasonable Cause |
$1,000 |
$50,000 |
$100,000 |
|
Willful Neglect—Corrected |
$10,000 |
$50,000 |
$250,000 |
|
Willful Neglect—Not Corrected |
$50,000 |
$50,000 |
$1,500,000 |
OCR will use the above penalty tier structure, as adjusted for inflation, until further notice and plans to have future rulemaking to modify the penalty tiers in the current regulation “to better reflect the text of the HITECH Act.”
Given the significant decrease of the annual limits for all but one category for HIPAA violations, covered entities and business associates may welcome OCR’s revised reading of the HITECH Act. This change in the annual limits may be especially welcomed since OCR under the previous penalty tiers collected $28.7 million from settlements and cases in 2018 (see February 27, 2019 NP Privacy Partner Blog Post).