September 15, 2019

September 13, 2019

Subscribe to Latest Legal News and Analysis

HIPAA Penalties Change Under HHS Notice of Enforcement Discretion

When the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 became law, it made significant changes to the civil monetary penalties for violations of HIPAA. In addition to increasing the amounts of the penalties, HITECH created a tiered approach to penalties, establishing four categories based on levels of culpability. In addition, current HHS regulations apply the same cumulative annual penalty limit across these four categories. Today, the Department of Health and Human Services (HHS) issued a notification of enforcement discretion changing its interpretation of HITECH resulting in a reduction in the amount of the cumulative annual penalty limit for three of the four categories.

What Are The Four Categories Again?

Section 13410(d) of the HITECH Act established four categories for HIPAA violations:

  1. No knowledge. The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
  2. Reasonable Cause. The violation was due to reasonable cause, and not willful neglect;
  3. Willful Neglect – Corrected. The violation was due to willful neglect that is timely corrected (30 days); and
  4. Willful Neglect – Not Corrected. The violation was due to willful neglect that is not timely corrected.

What Are The Range of Penalties?

Prior to this guidance, the range of penalties for the four categories above were as follows:

Category Minimum Penalty Maximum Penalty Annual Limit
No Knowledge $100 $50,000 $1,500,000
Reasonable Cause $1,000 $50,000 $1,500,000
Willful Neglect – Corrected $10,000 $50,000 $1,500,000
Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

Commenters noted to HHS that above structure was not consistent with HITECH’s tiered approach to penalties; that is, establishing categories based on culpability. This is because the annual limits were the same for all levels of culpability. Upon further review by HHS’ Office of the General Counsel, HHS has determined that the better reading of HITECH is to apply annual limits as shown below.

Category Minimum Penalty Maximum Penalty Annual Limit
No Knowledge $100 $50,000 $25,000
Reasonable Cause $1,000 $50,000 $100,000
Willful Neglect – Corrected $10,000 $50,000 $250,000
Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

According to the guidance, while HHS expects to engage in future rulemaking to revise the penalty tiers in the current regulation to better reflect the text of HITECH, these changes are effective until further notice.

Jackson Lewis P.C. © 2019

TRENDING LEGAL ANALYSIS


About this Author

Principal

Joseph J. Lazzarotti is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. He founded and currently helps to co-lead the firm's Privacy, e-Communication and Data Security Practice, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals.

In short, his practice focuses on the matrix of laws governing the privacy, security and management of data, as well as the impact and regulation of social media. He also...

973- 538-6890