Pension & Benefits News HHS reduces annual penalty limits for HIPAA violation
Tuesday, May 7, 2019

HHS reduces annual penalty limits for HIPAA violation

By Pension and Benefits Editorial Staff

HHS has notified the public that it is exercising its discretion in how it applies HHS regulations concerning the assessment of civil money penalties (CMPs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Current HHS regulations apply the same cumulative annual CMP limit across four categories of violations based on the level of culpability. As a matter of enforcement discretion, and pending further rulemaking, HHS will apply a different cumulative annual CMP limit for each of the four penalties tiers in the HITECH Act. This exercise of enforcement discretion is effective indefinitely.

HITECH Act. In February 2009, Congress enacted the HITECH Act, which strengthened HIPAA enforcement by increasing minimum and maximum potential CMPs for HIPAA violations. Section 13410(d) of the HITECH Act established four categories for HIPAA violations, with increasing penalty tiers based on the level of culpability associated with the violation: (1) The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision; (2) the violation was due to reasonable cause, and not willful neglect; (3) the violation was due to willful neglect that is timely corrected; and (4) the violation was due to willful neglect that is not timely corrected.

Enforcement Rule. On October 30, 2009, HHS issued an interim final rule to implement the enhanced penalty provisions of the HITECH Act. At the time, HHS interpreted the HITECH Act’s penalty provisions as conflicting because they allegedly referenced two levels of penalties for three of the four violation types. Although the HITECH Act provided four different annual penalty caps, the IFR concluded that the most logical reading of the law was to apply the highest annual cap of $1.5 million to all violation types. On January 25, 2013, HHS adopted the text of the IFR as a final rule (Enforcement Rule), applying an annual upper limit of $1.5 million for each of the four culpability tiers.

The 2013 Enforcement Rule identified that some commenters expressed concern about the rule imposing a $1.5 million cap for every penalty tier. The commenters argued that the IFR’s penalty scheme was inconsistent with the HITECH Act’s establishment of different tiers based on culpability because the outside limits were the same for all culpability categories and this ignored the outside limits set forth by the HITECH Act within the lower penalty tiers, rendering those limits meaningless.

New annual limits. HHS has determined that the better reading of the HITECH Act is to apply annual limits as follows: $25,000 for no knowledge, $100,000 for reasonable cause, $250,000 for corrected willful neglect, and $1,500,000 for uncorrected willful neglect. The new annual limits apply to all HIPAA enforcement actions.

SOURCE: 84 FR 18151, April 30, 2019.

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More