HHS lowering cumulative annual civil money penalties it will apply under HIPAA and HITECH Acts
On April 26, 2019, the U.S. Department of Health and Human Services (“HHS”) published an Enforcement Discretion letter announcing it is meaningfully lowering the cumulative annual civil money penalties (“CMPs”) it will apply under HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act. This is a significant policy change and perhaps somewhat ironic given that the HHS Office for Civil Rights (“OCR”) collected a record of almost $29 million from HIPAA enforcement actions in 2018. The previous calendar year high was $23.5M in 2016. The Enforcement Discretion letter is scheduled to be published in the April 30, 2019 edition of the Federal Register.
The HITECH Act established four categories for HIPAA violations: (i) the person did not know he or she violated the provision; (ii) the violation was due to reasonable cause and not willful neglect; (iii) the violation was due to willful neglect that is timely corrected; and (iv) the violation was due to willful neglect that is not timely corrected.
The HIPAA penalty tiers immediately prior to the issuance of the Enforcement Discretion letter were as follows:
HHS provided a substantive background section relating to the statutory and regulatory history of the HIPAA penalties in the Enforcement Discretion letter and HHS concluded it should modify the current $1.5M annual limit for each penalty tier and the maximum penalty an organization could be fined per year for a violation that persisted. The revised annual penalty tiers now correspond to the alleged culpability, e.g., willful neglect that is not corrected has a much higher annual limit ($1.5M) than a party who has no knowledge that it violated a HIPAA provision ($25,000).
The NEW HIPAA penalty tiers are as follows:
HHS announced it will use this modified penalty tier structure, adjusted for inflation, until further notice. HHS did state it expects to engage in future rulemaking to revise the penalty tiers in the current regulations to "better reflect" the HITECH Act.
Even with these reduced annual aggregate penalty tiers, HIPAA compliance remains an important (and expensive) challenge to which covered entities and business associates must give proper attention.