HHS Changes HITECH Act Penalties for HIPAA Violations
The Department of Health and Human Services has issued a notification of enforcement discretion regarding the civil monetary penalties that are applied when violations of HIPAA Rules are discovered. The HHS has reduced the maximum financial penalty for HIPAA violations in three of the four penalty tiers.
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased the penalties for HIPAA violations. The new penalties were based on the level of knowledge a HIPAA covered entity or business associate had about the violation and whether action was voluntarily taken to correct any violations.
The 1st penalty tier applies when a covered entity or business associate is unaware that HIPAA Rules were violated and, by exercising a reasonable level of due diligence, would not have known that HIPAA was being violated.
The 2nd tier applies when a covered entity knew about the violation or would have known had a reasonable level of due diligence been exercised, but when the violation falls short of willful neglect of HIPAA Rules.
The 3rd penalty tier applies when there was willful neglect of HIPAA Rules, but the covered entity corrected the problem within 30 days.
The 4th tier applies when there was willful neglect of HIPAA Rules and no efforts were made to correct the problem in a timely manner.
The maximum penalty across all four tiers was set at $1.5 million for violations of an identical provision in a single calendar year.
On January 25, 2013, the HHS implemented an interim final rule (IFR) and adopted the new penalty structure, but believed at the time that there were inconsistencies in the language of the HITECH Act with respect to the penalty amounts. The HHS determined at the time that the most logical reading of the law was to apply the same maximum penalty cap of $1,500,000 across all four penalty tiers.
The HHS has now reviewed the language of the HITECH Act and believes a better reading of the requirements of the HITECH Act would be for the annual penalty caps to be different in three of the four tiers to better reflect the level of culpability. The minimum and maximum amounts in each tier will remain unchanged.
New Interpretation of the HITECH ACT’s Penalties for HIPAA Violations
|Penalty Tier||Level of Culpability||Minimum Penalty per Violation||Maximum Penalty per Violation||Old Maximum Annual Penalty||New Maximum Annual Penalty|
|3||Willful Neglect – Corrective Action Taken||$10,000||$50,000||$1,500,000||$250,000|
|4||Willful Neglect – No Corrective Action Taken||$50,000||$50,000||$1,500,000||$1,500,000|
The HHS will publish its notification in the Federal Register on April 30, 2019. The HHS notes that its notification of enforcement discretion creates no legal obligations and no legal rights. Consequently, it is not necessary for it to be reviewed by the Office of Management and Budget.
The new penalty caps will be adopted by the HHS until further notice and will continue to be adjusted annually to account for inflation.
The HHS expects to engage in further rulemaking to review the penalty amounts to better reflect the text of the HITECH Act.