HHS reduces maximum civil penalties for HIPAA violations

The Department of Health and Human Services (HHS) published a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties on April 30, 2019. This changes the interpretation of fines for violations defined under the HITECH Act, effectively reducing some of the annual limits. 

PrivaPlan CEO David Ginsberg noted that this interpretation could change under a future Administration and furthermore, this notification is not an actual change to the regulation, but rather a notification of how HHS will enforce the regulation.

Previously, the annual cap or limit on a fine for a violation with multiple instances of the same type of violation was $1.5 Million. That now drops to a new set of tiered annual limits ranging from $25,000-$1.5 Million. 

Culpability

Minimum Penalty/Violation

Maximum Penalty/Violation

Old Annual Limit

New Annual Limit

Tier 1:  No Knowledge

$100

$50,000

$1,500,000

$25,000

Tier 2: Reasonable Cause

$1,000

$50,000

$1,500,000

$100,000

Tier 3: Willful Neglect – Corrected

$10,000

$50,000

$1,500,000

$250,000

Tier 4: Willful Neglect – Not Corrected

$50,000

$50,000

$1,500,000

$1,500,000

 

The penalty tiers remain based on the level of culpability associated with the HIPAA violation:  

(1) The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;  

(2) the violation was due to reasonable cause, and not willful neglect;  

(3) the violation was due to willful neglect that is timely corrected; and 

(4) the violation was due to willful neglect that is not timely corrected.

Roger Severino, director for the Office of Civil Rights, HHS, wrote in the notification, “HHS will use this penalty tier structure, as adjusted for inflation, until further notice. HHS expects to engage in future rulemaking to revise the penalty tiers in the current regulation to better reflect the text of the HITECH Act.”

These changes follow a record-breaking enforcement year for OCR, with 10 settlements and a summary judgment totaling $23.5 million.

 

 

 

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.