The Department of Health and Human Services (HHS) in late April issued a notice of enforcement discretion regarding fines for violations of HIPAA (Health Insurance Portability and Accountability Act) and its privacy, security and breach rules.

hhs-resets-hipaa-finesThe fine structure was established in 2009 with a piece of legislation titled  the Health Information Technology for Economic and Clinical Health (HITECH) Act, which capped penalties for a single company at $1.5 million a year.

HHS, however, has concluded that HITECH contains “apparently inconsistent language,” leading to confusion over how much a company can be fined in a year for a continuing violation.

Thus, HHS announced, “As a matter of enforcement discretion, and pending further rulemaking, HHS will apply a different cumulative annual CMP [Civil Monetary Penalty] limit for each of the four penalties tiers in the HITECH Act.”

Further, as a result of a review by the HHS Office of General Counsel, “HHS has determined that the better reading of the HITECH Act is to apply annual limits” based on the level of culpability.

Accordingly, the four tiers and their maximum penalties now look like this:

  • Tier 1: $100-$500 per violation, capped at $25,000 per year the issue persisted.
  • Tier 2: $1,000-$50,000 per violation, capped at $100,000 per year the issue persisted
  • Tier 3: $10,000-$50,000 per violation, capped at $250,000 per year the issue persisted
  • Tier 4: $50,000 per violation, capped at $1.5 million per year the issue persisted

The tiers rise in severity based upon “culpability” — from an organization that is unaware of the violation to one that demonstrates “willful neglect.”

HIPAA rules apply to any group health plan sponsored by any employer. In particular, plan administrators, health care providers, insurance companies, and their business associates are liable.

In 2018, HHS collected an all-time high of $28.7 million in fines from HIPAA enforcement actions. This beats the previous record of $23.5 million which HHS levied in 2006. ο