HHS Changes Maximum Penalties for HIPAA Violations

The Department of Health and Human Services (HHS) has made changes to the maximum penalties for HIPAA violations after a review of the text of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.

Prior to the HITECH Act, the penalties for HIPAA violations were not sufficiently high to make compliance a major priority of healthcare organizations. Further, the HHS had not been rigorously enforcing HIPAA Rules.

The HITECH Act changed that and strengthened enforcement of HIPAA Rules by increasing the maximum penalty for HIPAA violations. With the threat of major financial penalties, compliance became more of a priority for healthcare organizations.

The HITECH Act introduced a tiered penalty system based on the level of culpability. Four penalty tiers were introduced based on the extent to which the covered entity knew about the violation and whether they had taken action to correct violations of HIPAA Rules to ensure compliance.

The financial penalties for HIPAA violations introduced by the HITECH Act were:

Tier Minimum Penalty per Violation Maximum Penalty per Violation Minimum Annual Penalty for Violations of an Identical Provision
1-      No Knowledge $100 $50,000 $1,500,000
2-      Reasonable Cause $1,000 $50,000 $1,500,000
3-      Willful Neglect – Corrected $10,000 $50,000 $1,500,000
4-      Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

The HHS identified inconsistencies in the language of the HITECH Act with respect to financial penalties. The most logical interpretation for the maximum annual penalty for a violation of the same provision appeared to be $1,500,000, which was applied to all violation tiers.

However, following a review, the HHS determined that this was at odds with the tiered system. A violation that a covered entity had no knowledge about, and would not have been able to determine by exercising a reasonable level of due diligence, could attract the same maximum annual financial penalty as a covered entity that was aware of a violation and did nothing to correct it.

The HHS now believes that there was a misinterpretation of HITECH Act requirements and a better interpretation is the maximum annual penalty should also be tiered and should be based on the level of culpability of a covered entity of business associate.

The HHS has now issued a notification of enforcement discretion regarding HIPAA civil monetary penalties, which states that the cap on the maximum annual penalty has now been amended.

The financial penalties for HIPAA violations will now be as follows:

Tier Minimum Penalty per Violation Maximum Penalty per Violation Minimum Annual Penalty for Violations of Identical Provision
1-      No Knowledge $100 $50,000 $25,000
2-      Reasonable Cause $1,000 $50,000 $100,000
3-      Willful Neglect – Corrected $10,000 $50,000 $250,000
4-      Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

The HHS will be publishing the notification in the Federal Register on April 30, 2019 and will follow the new interpretation of the HITECH Act when deciding on financial penalties until further notice. Further rulemaking on this issue will follow.