May 21, 2019

May 21, 2019

Subscribe to Latest Legal News and Analysis

May 20, 2019

Subscribe to Latest Legal News and Analysis

HHS Reduces Penalties for HIPAA Violations; Distinguishes Based on Culpability

The U.S. Department of Health and Human Services recently published a Notice of Enforcement Discretion that markedly reduced HIPAA-related penalties. According to the Notice, effective immediately, HHS will change how it applies regulations concerning the assessment of Civil Money Penalties under HIPAA. Prior to issuance of the Notice, HHS regulations applied the same $1.5 million cumulative annual CMP limit across all categories of violations (which are based on the level of culpability of the violator). In other words, if a company found itself in violation of HIPAA, the penalties for which it would be responsible could be no more than $1.5 million per year regardless of the category of violation and regardless of the number of violations the company had committed.

Now, as a result of the Notice, the cumulative annual CMP limit is different depending on the category of violation (and, by extension, the level of culpability of the violator): (1) for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated HIPAA, the total annual limit is now $25,000; (2) for each violation due to reasonable cause and not to willful neglect, the total annual limit is now $100,000 per year; (3) for each violation due to willful neglect that is corrected within 30 days, the total annual limit is now $250,000; and (4) for each violation due to willful neglect that is not corrected within 30 days, the total annual limit remains $1.5 million.

Putting it Into Practice: According to HHS, forty percent (40%) of the cases where HHS has taken enforcement action to date have involved willful neglect that is not corrected, the category for which HHS has retained the $1.5 million annual cumulative CMP limit. While most will focus on the fact that this is a significant number of cases still subject to the maximum penalty of $1.5 million, it is also the case that for over half of cases to date, the maximum penalty level HHS could have imposed per year would have been less had those cases occurred after the Notice. HHS’s changes suggest that covered entities and business associates should do everything they can to ensure that their culpability levels for violations are low. The lower the culpability level of the violator, the lower the maximum penalty HHS will levy.

Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.

TRENDING LEGAL ANALYSIS


About this Author

Associate

Susan Ingargiola is an associate in the Corporate Practice Group in the firm's New York office.

Areas of Practice

Susan advises healthcare organizations, including hospitals, health systems, insurers, community health centers, health information exchange organizations, pharmaceutical and biotechnology companies, and mobile app developers on health information privacy issues, including compliance with HIPAA and state medical record confidentiality laws, as well as other compliance- related matters. She conducts regulatory diligence in connection with...

212-896-0624
Matthew Shatzkes Attorney New York Sheppard Mullin
Associate

Matthew Shatzkes is an associate in the Corporate Practice Group in the New York office of Sheppard Mullin and is a member of the firm’s healthcare practice team.

Matthew Shatzkes advises healthcare entities and not-for-profit corporations on a wide range of business, regulatory and transactional matters. Mr. Shatzkes advises clients on issues relating to entity formation, governance, corporate transactions (mergers, asset sales, dissolutions), and compliance with various federal and state laws, including regulatory compliance matters. Mr. Shatzkes's clients include hospitals, academic medical centers, management companies, physician practices, and other healthcare entities and not-for-profit corporations in the healthcare industry. 

Prior to entering into private practice, Mr. Shatzkes worked as a judicial fellow for the Honorable Roger N. Rosengarten at the New York Supreme Court, Queens County.  By beginning his career as a litigator, Mr. Shatzkes also has experience in representing clients in business and commercial disputes involving, among others, fiduciary obligations and breach of contract claims.

Education

  • St. John's University School of Law, 2011, cum laude, Associate Managing Editor, Journal of Civil Rights and Economic Development
  • Brooklyn College, 2008, magna cum laude
212-634-3062