The Department of Health and Human Services (HHS) recently issued a Notification of Enforcement Discretion to announce a change in its application of the regulations governing Civil Money Penalties of the Health Insurance Portability and Accountability Act (HIPAA). Employers and other HIPAA-covered entities will likely welcome the change.
Catching up with HITECH
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act established four categories of violations — and corresponding penalty tiers — that reflect increasing culpability. In interim final regulations, the HHS set minimum and maximum penalty amounts for violations in each tier.
Interpreting statutory language that appeared to create conflicting dollar limits for violations of an identical provision during a calendar year, the HHS adopted the higher limit of $1.5 million for all four penalty tiers. The agency justified this interpretation as the “most logical” reading of the HITECH Act and consistent with Congress’s intent to strengthen enforcement by increasing penalties.
In its 2013 omnibus regulations, the HHS adopted the interim final regulations without changing the penalty tiers or calendar-year limits, again characterizing this approach as the “most logical” reading of the HITECH Act.
Reconsidering the rules
The recently issued notification indicates that the HHS’s Office of the General Counsel has undertaken “further review” of the statute and determined that the “better reading” of the HITECH Act is to apply the separate calendar-year limits specified for each penalty tier. Under the new interpretation, the dollar caps for violations of identical provisions in a calendar year will be reduced from $1.5 million to the following dollar amounts in the first three tiers:
- Tier 1: Person didn’t know (and, exercising reasonable diligence, wouldn’t have known) of a violation: $25,000,
- Tier 2: Violation was attributable to reasonable cause and not willful neglect: $100,000, and
- Tier 3: Violation was because of willful neglect and was timely corrected: $250,000.
For a Tier 4 violation, which involves willful neglect that wasn’t corrected, the $1.5 million cap remains unchanged. The notification’s penalty structure will be in effect until further notice, subject to annual inflation adjustments. The HHS expects future rulemaking to codify the revised penalties.
Besides reducing penalties directly, the lower limits should put downward pressure on settlement amounts, since penalty caps reduce the negotiating leverage of the Office for Civil Rights (OCR). This change is somewhat surprising, given that the OCR recently boasted that it had collected an “all-time” record $28.7 million from enforcement activity in 2018 — a number that would have been significantly lower under this revised interpretation.
For example, a $4.3 million penalty announced in June 2018 for breach of unencrypted protected health information included $3 million in penalties for 2012 and 2013. This amount would be capped at $200,000 under the new policy.
Easing the pressure
Complying with HIPAA remains of critical importance for any employer subject to it. But these reduced penalty amounts should ease the pressure of making an occasional, inadvertent slipup. Please contact us for more information.