HHS Makes Changes to HIPAA Civil Monetary Penalty Caps

The U.S. Department of Health and Human Services (HHS) has issued a notification that it is changing the way it applies the assessment of Civil Money Penalties (CMPs) against those who violate the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.

Until now, HHS applied the same cumulative annual CMP limit across four categories (or tiers) of violations based on the level of culpability. Effective immediately, HHS will apply a different cumulative annual CMP limit for each of the four penalty tiers in the HITECH Act.

The new penalty tiers are as follows:

No knowledge: Minimum penalty $100; maximum penalty $50,000; annual limit $25,000

Reasonable cause: Minimum penalty $1,000; maximum penalty $50,000; annual limit $100,000

Willful neglect – corrected: Minimum penalty $10,000; maximum penalty $50,000; annual limit $250,000

Willful neglect – not corrected: Minimum penalty $50,000; maximum penalty $50,000; annual limit $1.5 million.

Previously, the annual limit for all four tiers was $1.5 million.

HHS noted that the changes are the result of concerns that the penalties were inconsistent with the HITECH Act’s creation of different tiers based on culpability “because the outside limits were the same for all culpability categories and this ignored the outside limits set forth by the HITECH Act within the lower penalty tiers, rendering those limits meaningless.”

HHS said that upon further review, it determined that the annual limits should be changed to better reflect culpability and that the new tier structure will be used until further notice. HHS indicted that it expects to engage in future rulemaking to review the penalty tiers to better reflect the text of the HITECH Act.

Last year, HHS saw an all-time record year in HIPAA enforcement activity with ten cases settled and one judgement secured, totaling $28.7 million. The figure surpassed the previous record of $23.5 million set in 2016.

The change gives those with a strong privacy and security compliance program in place a distinct advantage. Practices and covered entities should have a compliance officer on their team who has thorough knowledge of HIPAA rules and can conduct employee training, as well as internal monitoring and auditing of the compliance program. You need someone who can quickly respond to a breach and immediately take corrective action. As evidenced by HHS’ new interpretation, this can result in a significant penalty reduction should a HIPAA violation occur.

The Health Law Offices of Anthony C. Vitale’s highly skilled team of experienced legal professionals can help you to create a HIPAA Privacy and Security compliance program designed to meet your unique needs. Give us a call at 305-358-4500 or send an email to info@vitalehealthlaw.com and let’s discuss how we might be able to assist you.

Material presented on the Health Law Offices of Anthony C. Vitale's website is intended for information purposes only.

It is not intended as professional advice and should not be construed as such.