November 12, 2019

November 12, 2019

Subscribe to Latest Legal News and Analysis

November 11, 2019

Subscribe to Latest Legal News and Analysis

HHS’s Enforcement Discretion Notice May Signal More Potential Violations

The HHS Office for Civil Rights (“OCR”) issued a notice in the Federal Register regarding its Enforcement Discretion (84 Fed. Reg. 18151) on April 30, 2019.

HHS announced that HHS will now apply a different cumulative annual Civil Money Penalties (CMPs) limit for each of the four categories of HIPAA violations based on the level of culpability. As indicated in the table below, currently, and pursuant to its administrative rulemaking after passage of the HITECH Act, HHS applies the same cumulative annual CMP limit of $1.5 million1.

Four Culpability Tiers for HIPAA Violations (HITECH Act) Minimum Penalty Violation Maximum Penalty/ Violation Current HHS Regulation Notification of Enforcement Discretion
(1) The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision $100 $50,000 $1,500,000 $25,000
(2) The violation was due to reasonable cause and not willful neglect $1,000 $50,000 $1,500,000 $100,000
(3) The violation was due to willful neglect that is timely corrected $10,000 $50,000 $1,500,000 $250,000
(4) The violation was due to willful neglect that is not timely corrected $50,000 $50,000 $1,500,000 $1,500,000

It is important that OCR indicated in this year’s budget request that it needed fewer appropriated funds for the HIPAA enforcement program, given its enforcement recoveries. So, she notes, if OCR were to collect fewer of those recoveries in the future as a result of this exercise of Enforcement Discretion, that may affect its ability to enforce HIPAA, including with regard to enforcement priorities, such as individuals’ access to their own information, and it may affect individuals who would otherwise recover part of such settlements or fines as provided by the HITECH Act. On the other hand, if the amounts for each violation are less, it is conceivable that OCR will simply include more potential violations for enforcement in any particular settlement or CMP case.HHS expects to promulgate a new rule to revise the current penalty tiers; however, this effort is not currently included on the Secretary’s rulemaking calendar and, given the Trump administration’s effort to limit sub-regulatory guidance in favor of reducing burdens through rulemaking, it is not only surprising that this guidance was issued instead of a rulemaking, it is also not clear when such a rulemaking effort will take place.


© Polsinelli PC, Polsinelli LLP in California


About this Author

Iliana L. Peters, Healthcare, Privacy Lawyer, Polsinelli Law Firm

Iliana L. Peters believes good data privacy and security is fundamental to ensuring patients’ trust in the health care system, and to helping health care clients succeed in an ever-changing landscape of threats to data security. She is recognized by the health care industry as a preeminent thinker and speaker on data privacy and security, particularly with regard to HIPAA, the HITECH Act, the 21st Century Cures Act, the Genetic Information Nondiscrimination Act (GINA), the Privacy Act, and emerging cyber threats to health data.     

For over a decade, she both...


Lidia Niecko-Najjum helps clients solve problems through pragmatic and business-focused client counseling and advising. With 10 years of cumulative experience in nursing, policy, and law, her practice focuses on health care regulatory, coverage and payment, compliance, transaction, and policy matters. 

Martin T. McElligott Privacy and Cybersecurity Lawyer Polsinelli Law Firm

Martin advises publicly traded and private sector clients in respect to a variety of privacy and data security matters. He has assisted clients in preparing for and responding to data security breaches, sending required notifications to affected individuals, the U.S. Department of Health and Human Services and states’ Offices of Attorney General. His knowledge and understanding of the laws impacting data collection and governance help him protect his clients’ assets. Martin also counsels clients in the management of privacy risks associated with maintaining and transferring information,...