HHS Lowering Cumulative Annual Civil Money Penalties It Will Apply Under HIPAA and HITECH Acts

Bruce Armon
Saul Ewing LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Saul Ewing Arnstein & Lehr LLP

On April 26, 2019, the U.S. Department of Health and Human Services (“HHS”) published an Enforcement Discretion letter announcing it is meaningfully lowering the cumulative annual civil money penalties (“CMPs”) it will apply under HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.  This is a significant policy change and perhaps somewhat ironic given that the HHS Office for Civil Rights (“OCR”) collected a record of almost $29 million from HIPAA enforcement actions in 2018.   The previous calendar year high was $23.5M in 2016.  The Enforcement Discretion letter is scheduled to be published in the April 30, 2019 edition of the Federal Register.

The HITECH Act established four categories for HIPAA violations:   (i) the person did not know he or she violated the provision; (ii) the violation was due to reasonable cause and not willful neglect; (iii) the violation was due to willful neglect that is timely corrected; and (iv) the violation was due to willful neglect that is not timely corrected.

The HIPAA penalty tiers immediately prior to the issuance of the Enforcement Discretion letter were as follows:

https://jdsupra-html-images.s3-us-west-1.amazonaws.com/e2f114a6-aeae-46ce-85a7-360761f9b4b1-Health Care_042919_chart1.png

HHS provided a substantive background section relating to the statutory and regulatory history of the HIPAA penalties in the Enforcement Discretion letter and HHS concluded it should modify the current $1.5M annual limit for each penalty tier and the maximum penalty an organization could be fined per year for a violation that persisted.  The revised annual penalty tiers now correspond to the alleged culpability, e.g., willful neglect that is not corrected has a much higher annual limit ($1.5M) than a party who has no knowledge that it violated a HIPAA provision ($25,000).     
The NEW HIPAA penalty tiers are as follows:

https://jdsupra-html-images.s3-us-west-1.amazonaws.com/e2f114a6-aeae-46ce-85a7-360761f9b4b1-Health Care_042919_chart2.png

HHS announced it will use this modified penalty tier structure, adjusted for inflation, until further notice.   HHS did state it expects to engage in future rulemaking to revise the penalty tiers in the current regulations to "better reflect" the HITECH Act.

Even with these reduced annual aggregate penalty tiers, HIPAA compliance remains an important (and expensive) challenge to which covered entities and business associates must give proper attention.  

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Written by:

Saul Ewing LLP
Saul Ewing LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide