HHS Reduces Potential HIPAA PenaltiesApril 30, 2019 | Eric D. Fader | Cybersecurity | Electronic Health Records | HIPAA
The U.S. Department of Health and Human Services (HHS) has revised the potential monetary penalties that may be imposed on healthcare providers, health plans and business associates for HIPAA violations. HHS’s notice of enforcement discretion, issued on April 26, reduces the maximum annual penalty for less-severe violations from $1.5 million to as low as $25,000.
The 2013 HIPAA “Omnibus Final Rule” created four tiers of possible penalties for HIPAA violations based on level of culpability, ranging from violations of which the entity had no knowledge to violations that were willfully neglected and not corrected timely. Minimum penalties per violation ranged from $100 to $50,000, but HHS set a maximum penalty of $50,000 per violation or $1,500,000 per year for each of the four tiers. HHS’s new notice reduces the annual limit to $25,000 when the entity had no knowledge of the violation, $100,000 when the violation was due to “reasonable cause,” and $250,000 when there was willful neglect but the violation was corrected timely. In the case of willful neglect without timely correction, the maximum penalty remains $1,500,000 for each year in which the violation persisted.
In practice, the HHS Office for Civil Rights, which enforces HIPAA, has always had broad discretion to impose financial penalties based on the perceived severity of the original violation, the promptness and effectiveness of the steps taken to correct it, and the number of people affected, among other factors. The new notice confirms and emphasizes that healthcare entities that were unaware of violations and work quickly to mitigate them, once discovered, will face smaller maximum penalties than organizations that are found to have been neglectful.
HHS said it expects to engage in future rulemaking to further revise the penalty tiers in the current regulation.