HHS Actually Takes Action to LOWER the Penalties For One Of Its Enforcement Laws

On April 29, 2019, the United States Department of Health and Human Services (“HHS”) announced in the Federal Register through a Notification of Enforcement Discretion that effective immediately, it would be exercising its discretion regarding the application of HHS regulations concerning the assessment of Civil Monetary Penalties (“CMPs”) under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Specifically, HHS has changed its uniform cumulative annual CMP limit across the four categories of culpability and replaced it with tiered annual CMP limits increasing as the categories of culpability increase in severity.

In 2009, HITECH established four tiers of culpability with increasing penalties based on increasing severity. Those categories included: (1) the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision; (2) the violation was due to reasonable cause, and not willful neglect; (3) the violation was due to willful neglect that is timely corrected; and (4) the violation was due to willful neglect that is not timely corrected.

At the time of enactment of the HITECH Act, discrepancies were identified in the descriptions of the penalty ranges and uncertainty existed surrounding whether the $1,500,000 annual cap on CMPs should be applied to all of the categories of culpability. In the final regulations implementing HITECH that were adopted by HHS in 2013, the $1,500,000 annual cap was confirmed by HHS to apply to all categories. And, ever since then, HHS has been issuing penalties under the following framework:

Culpability Min. Penalty per Violation Max. Penalty Per Violation Annual Limit
No Knowledge $100 $50,000 $1,500,000
Reasonable Cause $1,000 $50,000 $1,500,000
Willful Neglect  – Corrected $10,000 $50,000 $1,500,000
Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

However, in a sudden change of position, HHS’ guidance this past week states that upon further review of the statute, it believes a better reading of the statute is to provide a tiered annual limit. Thus, under HHS’ new interpretation, there are new maximum annual limits to HIPAA enforcement actions as follows:

Culpability Min. Penalty per Violation Max. Penalty Per Violation Annual Limit
No Knowledge $100 $50,000 $25,000
Reasonable Cause $1,000 $50,000 $100,000
Willful Neglect  – Corrected $10,000 $50,000 $250,000
Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

It is unclear how the “No Knowledge” category will work given that the maximum penalty per violation remains at $50,000 while the annual limit is only $25,000. A review of the Federal Register entry from HHS confirms these to be the numbers published by HHS, and thus, until HHS offers further guidance or begins applying these new figures to specific cases, there remains some uncertainty for this category of culpability.

Nevertheless, these changes should come as welcome news to providers and business associates trusted with protected health information (“PHI”) as a penalty for a HIPAA violation can add up quickly. Thus, these new annual limits will help to curb the financial sting of a violation, especially when the provider or business associate either is genuinely unaware of the violation or takes appropriate action in response to a violation. Only time will tell whether HHS’ clarification of its reading of the statute to require lesser annual CMP penalty caps marks a general shift toward lower penalties or fewer enforcement actions overall.

In the meantime, it would be wise for providers and business associates to continue demonstrating good faith compliance efforts to try and minimize the tier of culpability within which a particular penalty falls. Only through ongoing reviews, audits and assessments of privacy policies and procedures and general compliance programs will providers and business associates remain prepared and help to mitigate the penalty of a potential HIPAA violation.  Certainly with these new tiered annual CMP caps, those that handle PHI have an even greater incentive to remain focused on effective compliance efforts.