HHS Reduces Penalties for HIPAA Violations; Distinguishes Based on Culpability
The U.S. Department of Health and Human Services recently published a Notice of Enforcement Discretion that markedly reduced HIPAA-related penalties. According to the Notice, effective immediately, HHS will change how it applies regulations concerning the assessment of Civil Money Penalties under HIPAA. Prior to issuance of the Notice, HHS regulations applied the same $1.5 million cumulative annual CMP limit across all categories of violations (which are based on the level of culpability of the violator). In other words, if a company found itself in violation of HIPAA, the penalties for which it would be responsible could be no more than $1.5 million per year regardless of the category of violation and regardless of the number of violations the company had committed.
Now, as a result of the Notice, the cumulative annual CMP limit is different depending on the category of violation (and, by extension, the level of culpability of the violator): (1) for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated HIPAA, the total annual limit is now $25,000; (2) for each violation due to reasonable cause and not to willful neglect, the total annual limit is now $100,000 per year; (3) for each violation due to willful neglect that is corrected within 30 days, the total annual limit is now $250,000; and (4) for each violation due to willful neglect that is not corrected within 30 days, the total annual limit remains $1.5 million.
Putting it Into Practice: According to HHS, forty percent (40%) of the cases where HHS has taken enforcement action to date have involved willful neglect that is not corrected, the category for which HHS has retained the $1.5 million annual cumulative CMP limit. While most will focus on the fact that this is a significant number of cases still subject to the maximum penalty of $1.5 million, it is also the case that for over half of cases to date, the maximum penalty level HHS could have imposed per year would have been less had those cases occurred after the Notice. HHS’s changes suggest that covered entities and business associates should do everything they can to ensure that their culpability levels for violations are low. The lower the culpability level of the violator, the lower the maximum penalty HHS will levy.