July 17, 2019

July 16, 2019

Subscribe to Latest Legal News and Analysis

July 15, 2019

Subscribe to Latest Legal News and Analysis

Changes to HHS’ Interpretation of HIPAA Civil Monetary Penalties

On Friday April 26, 2019, the US Department of Health and Human Services (“HHS”) issued a notification regarding HHS’ use of Civil Monetary Penalties (“CMP”) under the Health Insurance Portability and Accountability Act (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The notice provides: “As a matter of enforcement discretion, and pending further rulemaking, HHS will apply a different cumulative annual CMP limit for each of the four penalty tiers in the HITECH Act.”

The HITECH Act implemented a tiered penalty scheme for violations of HIPAA.  That tiered approach was dependent on the level of culpability associated with the violation.  At the lowest level of culpability -when the “person did not know (and by exercising reasonable diligence would not have known)” of the violation – the penalty was established at $100 for each violation “except that the total amount imposed on the person for all such violations may not exceed $25,000.”  Each level of culpability had successively higher penalties attached.  At the top tier – when the violation was due to willful neglect- the penalty is $50,000 for each violation “except that the total amount imposed on the person for all such violations may not exceed $1.5 million.”  P.L. 111-5, Section 13410(d); codified at 42 U.S.C. §1320d–5.  However, the statutory language included some unclear language, as noted in the preamble to the regulations implementing the statute.

In adopting the HITECH Act’s penalty scheme, the Department recognized that section 13410(d) contained apparently inconsistent language (i.e., its reference to two penalty tiers ‘‘for each violation,’’ each of which provided a penalty amount ‘‘for all such violations’’ of an identical requirement or prohibition in a calendar year). To resolve this inconsistency, with the exception of violations due to willful neglect that are not timely corrected, the [Interim Final Rule] adopted a range of penalty amounts between the minimum given in one tier and the maximum given in the second tier for each violation and adopted the amount of $1.5 million as the limit for all violations of an identical provision of the HIPAA rules in a calendar year. For violations due to willful neglect that are not timely corrected, the IFR adopted the penalty amount of $50,000 as the minimum for each violation and $1.5 million for all such violations of an identical requirement or prohibition in a calendar year.

78 Fed. Reg. 5566, 5582 (Jan. 25, 2013) (emphasis added).

At the time, HHS chose to interpret Congress’ meaning to allow it to impose the highest fine ($50,000) and the highest aggregate amount ($1.5 million) for every tier category – regardless of the tier and degree of culpability of the covered entity.  Under that scheme, the penalty assessment was as follows:

Culpability

Minimum penalty per violation

Maximum penalty per violation

Annual Limit

No Knowledge

$100

$50,000

$1.5 million

Reasonable Cause

$1000

$50,000

$1.5 million

Willful Neglect- Corrected

$10,000

$50,000

$1.5 million

Willful Neglect- Not Corrected

$50,000

$50,000

$1.5 million

The interpretation above arguably turned the four-tier approach set forth in the statute into a two-tier approach.  However, as of April 26, 2019, HHS “[u]pon further review of the statute by the HHS Office of the General Counsel” HHS has determined that “all HIPAA enforcement actions will be governed” by a revised set of penalty tiers that mirrors the statute’s four tiers.  The new penalty tiers will be as follows.

Culpability

Minimum penalty per violation

Maximum penalty per violation

Annual Limit

No Knowledge

$100

$50,000

$25,000

Reasonable Cause

$1000

$50,000

$100,000

Willful Neglect- Corrected

$10,000

$50,000

$250,000

Willful Neglect- Not Corrected

$50,000

$50,000

$1.5 million

HHS also noted that it would engage in future rulemaking “to revise the penalty tiers in the current regulation to better reflect the text of the HITECH Act.”  With these changes, organizations with robust privacy and security compliance programs (with strong reporting mechanisms) may see an advantage of being in the lower penalty tiers in the event a violation occurs.

©2019 Epstein Becker & Green, P.C. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

George Breen, Health Care Attorney, Epstein Becker Law Firm
Member

GEORGE B. BREEN is a Member of the Firm in the Health Care and Life Sciences and Litigation practices. He is Chair of the firm's National Health Care and Life Sciences Practice Steering Committee and a member of the firm's Board of Directors.

Mr. Breen:

  • Defends clients undergoing investigation for health care fraud by the Department of Justice, the Department of Health and Human Services Office of the Inspector General, and other state and federal governmental authorities
  • ...
202-861-1823
Patricia M. Wagner, Epstein becker green, health care, life sciences
Member

PATRICIA M. WAGNER is a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the firm's Washington, DC, office. In 2014, Ms. Wagner was selected to the Washington DC Super Lawyers list in the area of Health Care.

Ms. Wagner's experience includes the following:

Advising clients on a variety of matters related to federal and state antitrust issues 

Representing clients in antitrust matters in front of the Federal Trade Commission and the United States Department of Justice, and state antitrust authorities 

Advising clients on issues related HIPAA Privacy and security

Advising clients on issues related to state licensure and regulatory requirements

202-861-4182