When the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 became law, it made significant changes to the civil monetary penalties for violations of HIPAA. In addition to increasing the amounts of the penalties, HITECH created a tiered approach to penalties, establishing four categories based on levels of culpability. In addition, current HHS regulations apply the same cumulative annual penalty limit across these four categories. Today, the Department of Health and Human Services (HHS) issued a notification of enforcement discretion changing its interpretation of HITECH resulting in a reduction in the amount of the cumulative annual penalty limit for three of the four categories.

What Are The Four Categories Again?

Section 13410(d) of the HITECH Act established four categories for HIPAA violations:

1. No knowledge. The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
2. Reasonable Cause. The violation was due to reasonable cause, and not willful neglect;
3. Willful Neglect – Corrected. The violation was due to willful neglect that is timely corrected (30 days); and
4. Willful Neglect – Not Corrected. The violation was due to willful neglect that is not timely corrected.

What Are The Range of Penalties?

Prior to this guidance, the range of penalties for the four categories above were as follows:

Commenters noted to HHS that above structure was not consistent with HITECH’s tiered approach to penalties; that is, establishing categories based on culpability. This is because the annual limits were the same for all levels of culpability. Upon further review by HHS’ Office of the General Counsel, HHS has determined that the better reading of HITECH is to apply annual limits as shown below.

According to the guidance, while HHS expects to engage in future rulemaking to revise the penalty tiers in the current regulation to better reflect the text of HITECH, these changes are effective until further notice.