October 18, 2019

October 17, 2019

Subscribe to Latest Legal News and Analysis

October 16, 2019

Subscribe to Latest Legal News and Analysis

October 15, 2019

Subscribe to Latest Legal News and Analysis

OCR Corrects Past Misinterpretation Of HIPAA Annual Penalty Limits, Signaling Potential Relief For Entities Facing Enforcement

On April 26, 2019, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties (the Notice) to inform the public that OCR will exercise its discretion in assessing Civil Money Penalties (CMPs) as set forth by Congress in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Current OCR regulations erroneously apply the same cumulative annual CMP limit of $1.5 million across the four categories of violations based on the level of culpability, despite the statute setting four different annual limits. The Notice states that, as a matter of enforcement discretion, OCR will now apply a different cumulative annual CMP limit for each of the four penalties tiers in the HITECH Act, as Congress set forth, and will engage in rulemaking to further address this issue. In this article, we summarize the Notice and analyze its implications for HIPAA-covered entities and business associates.

In Depth


Annual CMP Caps Prior to the Notification of Enforcement Discretion

When enacting the HIPAA administrative simplification provisions, Congress authorized the Secretary of HHS or his designee to impose a maximum CMP of $100 for each violation, subject to a calendar year cap of $25,000 for all violations of an identical requirement or prohibition. In response, OCR issued a HIPAA enforcement final rule on February 16, 2006, which, among other things, incorporated penalties consistent with the $100 per violation cap and $25,000 annual cap under the statute. The HITECH Act, enacted in February 2009, increased the minimum and maximum potential CMPs for HIPAA violations. Specifically, Section 13410(d) of the HITECH Act established four categories for HIPAA violations, with increasing penalty tiers based on the level of culpability associated with the violation:

  1. Person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;

  2. Violation was due to reasonable cause, and not willful neglect;

  3. Violation was due to willful neglect that is timely corrected; and

  4. Violation was due to willful neglect that is not timely corrected.

The penalty amounts under the HITECH Act corresponding to each culpability level or violation type above are as follows:

  1. $100 per violation, with a cap of $25,000 on violations of an identical requirement or prohibition during a calendar year (42 U.S.C. 1320d- 5(a)(3)(A));

  2. $1,000 per violation, with a cap of $100,000 on violations of an identical requirement or prohibition during a calendar year (42 U.S.C. 1320d-5(a)(3)(B));

  3. $10,000 per violation, with a cap of $250,000 on violations of an identical requirement or prohibition during a calendar year (42 U.S.C. 1320d-5(a)(3)(C)); and

  4. $50,000 per violation, with a cap of $1,500,000 on violations of an identical requirement or prohibition during a calendar year (42 U.S.C. 1320d-5(a)(3)(D)).

Given that OCR has chosen to assess ongoing or repeated HIPAA violations (e.g., failure to conduct an accurate and thorough risk analysis) as one violation per day (365 days per year), these calendar year caps are highly relevant restrictions.

On October 30, 2009, OCR issued an interim final rule (IFR) to implement the enhanced penalty provisions of the HITECH Act. At the time, OCR took the view that the HITECH Act’s penalty provisions were “conflicting” because they referenced two levels of penalties for three of the four violation types. Despite the fact that the HITECH Act provided four different annual penalty caps, the IFR concluded that “the most logical reading” of the law was to apply the highest annual cap of $1.5 million to all violation types, stating that this was “consistent with Congress’ intent to strengthen enforcement.”

On January 25, 2013, OCR adopted the text of the IFR as a final rule (Enforcement Rule) without change to the penalty tiers and annual limits. OCR noted in the preamble that, “[i]n adopting the HITECH Act’s penalty scheme, the Department recognized that section 13410(d) contained apparently inconsistent language (i.e., its reference to two penalty tiers ‘for each violation,’ each of which provided a penalty amount ‘for all such violations’ of an identical requirement or prohibition in a calendar year). To resolve this inconsistency, with the exception of violations due to willful neglect that are not timely corrected, the IFR adopted a range of penalty amounts between the minimum given in one tier and the maximum given in the second tier for each violation and adopted the amount of $1.5 million as the limit for all violations of an identical provision of the HIPAA rules in a calendar year.” See 78 FR 5566, 5582 (Jan. 25, 2013).

Commenters responded to the Enforcement Rule by expressing concern about the $1.5 million cap for all penalty tiers, arguing that because the outside limits were the same for all culpability categories, the Enforcement Rule “ignored the outside limits set forth by the HITECH Act within the lower penalty tiers, rendering those limits meaningless.” 78 FR at 5583. In responding to these comments, OCR stated that it continued to believe “that the penalty amounts are appropriate and reflect the most logical reading of the HITECH Act, which provides the Secretary with discretion to impose penalties for each category of culpability up to the maximum amount described in the highest penalty tier.” Id. As a result, the Enforcement Rule applies an annual upper limit of $1.5 million for each of the four culpability tiers, as shown below:

Changes under the Notification of Enforcement Discretion

As set forth in the Notice, upon further review of the statute by the HHS Office of the General Counsel, OCR has determined that the better reading of the HITECH Act is to apply annual limits follows, as they are set forth in the statute itself:

OCR has announced that it will use this penalty tier structure, as adjusted for inflation, until further notice. OCR expects to engage in future rulemaking to revise the penalty tiers in the current regulation to “better reflect the text of the HITECH Act.” Among other things, the rulemaking may clarify how OCR will reconcile the discrepancy between the new $25,000 annual limit for identical violations in the first tier, which is half of the $50,000 maximum penalty per violation for this same tier.

Analysis

Since the passage of the Enforcement Rule, we have seen numerous multi-million dollar settlements CMPs imposed for alleged HIPAA violations. For example, in 2016, an Illinois health care system agreed to pay $5.55 million settle allegations that it violated HIPAA. At the time, the settlement was the biggest CMP involving a single entity. At the end of 2018, a major health insurance payor agreed to pay $16 million to settle alleged HIPAA violations.

OCR’s revised enforcement approach may mean lower penalties for Covered Entities and Business Associates that have taken measures to comply with HIPAA. Because OCR’s budget for enforcement is derived from its recoveries, the lower penalties may also mean that OCR has fewer resources to pursue claims against Covered Entities and Business Associates.

This correction is likely to be particularly galling for entities that have been assessed CMPs for HIPAA violations in the past. For example, a children’s hospital in Texas was assessed a $3,217,000 HIPAA penalty in 2017 based entirely on “Tier II” (i.e., reasonable cause level) violations, of which $2,410,000 (75%) was directly attributable to OCR’s prior misinterpretation of the HITECH Act. Now, OCR would impose just over $800,000 in penalties on the very same factual findings and legal conclusions.

The same is true to a large extent for many of the nearly 60 entities that have settled alleged HIPAA violation findings with OCR to avoid the imposition of CMPs. Each time we have negotiated such a settlement with OCR, OCR has used the prior (erroneous) version of the CMP caps to threaten excessive penalties against our clients if settlement could not be reached. We have argued this very issue of statutory fidelity (and void contrary regulations) to OCR each time, but it fell on deaf ears with OCR stating that it is required to follow its own regulations.

Markedly, the Notice comes on the heels of two actions that were recently filed by University of Texas MD Anderson Cancer Center against OCR: (1) a petition in the US Court of Appeals for the Fifth Circuit for review of the HHS Departmental Appeals Board Decision to impose CMPs on MD Anderson, and (2) a complaint for declaratory and injunctive relief filed in the US District Court for the Southern District of Texas. In 2018, MD Anderson experienced a breach involving the electronic protected health information of 34,883 patients. OCR subsequently investigated and alleged MD Anderson violated HIPAA and its implementing regulations by failing to use encryption, imposing a $4.348 million penalty for the alleged violations. MD Anderson is arguing that the penalty exceeds the maximum CMP for a HIPAA violation under the reasonable cause penalty tier, and further, that the penalty is in breach of the Eighth Amendment to the United States Constitution.

At an International Association of Privacy Professionals Global Privacy Summit session last week, Timothy Noonan, OCR’s Acting Deputy Director for Health Information Privacy, explained that OCR issued the Notice as a result of HHS’ department-wide regulatory reform efforts that involve the reexamination of each HHS agency’s activities in light of its respective statutory authorities.

It remains to be seen whether OCR will adjust its approach to pursuing enforcement actions or negotiating settlements in order to maximize its collections under the corrected penalty tier structure. For instance, OCR could prioritize cases involving alleged violations that fall within the “willful neglect—not corrected” level of culpability, for which the annual cap for identical violations remains $1.5 million. It is further possible that going forward, OCR will resolve a larger percentage of its investigations through enforcement actions as opposed to providing technical assistance or taking other corrective actions that do not involve monetary payments by covered entities or business associates. In addition, OCR may begin demanding monetary settlement amounts that reflect higher percentages of the maximum potential CMPs that can be assessed against entities.

It will also be interesting to see whether OCR makes any effort to make this correction retroactive—but we are not holding our breath. We will continue to monitor further updates regarding OCR’s new, corrected interpretation of the HITECH Act and annual CMP limits, including further rulemaking on this topic.

© 2019 McDermott Will & Emery

TRENDING LEGAL ANALYSIS


About this Author

Edward G. Zacharias, McDermott Will Emery Law firm, Healthcare Industry Attorney
Associate

Edward G. Zacharias is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Boston office.  Edward provides regulatory and transactional representation to health systems, academic medical centers, physician group practices, HMOs, faculty practice plans, nursing facilities and a variety of other health care clients.  He represents clients in connection with acquisitions, joint ventures, strategic affiliations, conversions to tax exempt status, HIPAA compliance, fraud and abuse and Stark, reimbursement,...

617-535-4018
David Quinn Gacioch, White Collar Criminal Defense Attorney, McDermott Law Firm
Partner

David Quinn Gacioch is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm's Boston office. He focuses his practice in the areas of white-collar criminal defense and government investigations. Dave also has significant experience in product liability defense, general commercial litigation/arbitration, and appeals.

617-535-4478
Deepali Doddi, McDermott Law Firm, Cybersecurity Law Attorney, Chicago
Associate

Deepali Doddi concentrates her practice on data privacy and cybersecurity matters. She regularly advises clients across a broad spectrum of industries on issues arising under domestic data security and privacy laws and regulations, including COPPA, CAN-SPAM, TCPA, GLBA, the FTC Act, CalOPPA, DFARS cybersecurity requirements and breach notification laws. Additionally, she helps clients navigate international data privacy matters, such as certifying to the EU-US Privacy Shield Framework, selecting appropriate cross-border data transfer mechanisms and...

312-984-3265
Drew McCormick, McDermott Law Firm, Boston, Healthcare Law Attorney
Associate

Drew Elizabeth McCormick maintains a general health industry and regulatory practice.

Drew advises health care clients on a wide variety of health care regulatory issues, including Medicare and Medicaid regulations, the Federal Anti-Kickback Statute, Ethics in Patient Referral Law, False Claims Act and Health Insurance Portability and Accountability Act (HIPAA), as well as state fraud and abuse laws, privacy laws, licensure regulation, research regulation, and health care compliance matters. Drew also has experience counseling clients who are...

617-535-4105
Amy C. Pimentel, Global Privacy Staff Attorney, McDermott Will & Emery Law Firm
Associate

Amy Pimentel is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Boston office.  Amy is a member of the Firm’s Global Privacy and Data Protection Affinity Group.  She focuses her practice on consumer protection, privacy, information security and international law.

Amy received her J.D. in 2014 from Northeastern University School of Law.  While in law school, Amy worked at the U.S. Department of Justice in the Office of International Affairs and interned for a judge at the International Criminal Tribunal...

617-535-3948