August 4, 2021

Volume XI, Number 216

Advertisement

August 03, 2021

Subscribe to Latest Legal News and Analysis

August 02, 2021

Subscribe to Latest Legal News and Analysis

HHS Reduces Penalties for HIPAA Violations; Distinguishes Based on Culpability

The U.S. Department of Health and Human Services recently published a Notice of Enforcement Discretion that markedly reduced HIPAA-related penalties. According to the Notice, effective immediately, HHS will change how it applies regulations concerning the assessment of Civil Money Penalties under HIPAA. Prior to issuance of the Notice, HHS regulations applied the same $1.5 million cumulative annual CMP limit across all categories of violations (which are based on the level of culpability of the violator). In other words, if a company found itself in violation of HIPAA, the penalties for which it would be responsible could be no more than $1.5 million per year regardless of the category of violation and regardless of the number of violations the company had committed.

Now, as a result of the Notice, the cumulative annual CMP limit is different depending on the category of violation (and, by extension, the level of culpability of the violator): (1) for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated HIPAA, the total annual limit is now $25,000; (2) for each violation due to reasonable cause and not to willful neglect, the total annual limit is now $100,000 per year; (3) for each violation due to willful neglect that is corrected within 30 days, the total annual limit is now $250,000; and (4) for each violation due to willful neglect that is not corrected within 30 days, the total annual limit remains $1.5 million.

Putting it Into Practice: According to HHS, forty percent (40%) of the cases where HHS has taken enforcement action to date have involved willful neglect that is not corrected, the category for which HHS has retained the $1.5 million annual cumulative CMP limit. While most will focus on the fact that this is a significant number of cases still subject to the maximum penalty of $1.5 million, it is also the case that for over half of cases to date, the maximum penalty level HHS could have imposed per year would have been less had those cases occurred after the Notice. HHS’s changes suggest that covered entities and business associates should do everything they can to ensure that their culpability levels for violations are low. The lower the culpability level of the violator, the lower the maximum penalty HHS will levy.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume IX, Number 136
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Associate

Susan Ingargiola is an associate in the Corporate Practice Group in the firm's New York office.

Areas of Practice

Susan advises healthcare organizations, including hospitals, health systems, insurers, community health centers, health information exchange organizations, pharmaceutical and biotechnology companies, and mobile app developers on health information privacy issues, including compliance with HIPAA and state medical record confidentiality laws, as well as other compliance- related matters. She conducts regulatory diligence in connection with...

212-896-0624
Matthew Shatzkes Attorney New York Sheppard Mullin
Partner

Matthew Shatzkes is a partner in the Corporate Practice Group in the New York office of Sheppard Mullin and is a member of the firm’s healthcare practice team.

Areas of Practice

Matthew provides strategic, regulatory, compliance, and transactional advice to all manner of health care clients, including health systems, hospitals, academic medical centers, long-term care providers, ambulatory surgery centers, diagnostic and treatment centers, physician practices, digital health companies and investors....

212-634-3062
Advertisement
Advertisement