HHS changes penalty limits for HIPAA and HITECH violations

The U.S. Department of Health and Human Services (HHS) plans to reduce HIPAA and HITECH Act penalties by up to 98 percent.

HHS issued its “Notification of Enforcement Discretion Regarding HIPAA Civil Monetary Penalties,” in the April 30, 2019, edition of the Federal Register (84 Fed. Reg. 18151). HHS utilized its enforcement discretion to change the cumulative annual CMP limit for three out of the four penalty tiers identified in the HITECH Act, § 13410(d).

This decision to lower the cumulative annual CMP limit could provide relief to physicians as well as other covered entities, business associates, and subcontractors.

In 2009, Congress enacted the HITECH Act as part of the American Recovery and Reinvestment Act of 2009. One of the key components was its strengthening of HIPAA enforcement by increasing minimum and maximum potential CMPs for HIPAA violations. Specifically, Section 13410(d) of the HITECH Act created four categories of HIPAA violations with corresponding penalty tiers:

• Tier 1 – the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;

• Tier 2 – the violation was due to reasonable cause and not willful neglect;

• Tier 3 – the violation was due to willful neglect that is timely corrected; and

• Tier 4 – the violation was due to willful neglect that is not timely corrected.

If any of the tier definitions were met, then the Secretary shall impose “a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(A) but not to exceed the amount described in paragraph (3)(D).”

These new changes mean that providers and entities who fall under the purview of HIPAA and the HITECH Act will see greatly reduced annual limits for Tiers 1 – 3. The chart below illustrates the changes under the Enforcement Rule.

It’s worth noting that HHS is required to annually adjust limits for inflation pursuant to the Bipartisan Budget Act of 2015 (Pub. L. 114-74, section 701).

Noncompliance with HIPAA and the HITECH Act can still be costly, but physicians can breathe a bit easier knowing that the annual limits for three tiers of noncompliance have been reduced.

It remains to be seen, though, whether this change acts to deter compliance because the monetary risk associated with non-compliance may outweigh the risk of compliance, or if HHS issues more penalties because of the lower annual threshold.

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.