HHS to Base HIPAA Fines on Culpability

The Department of Health and Human Services (HHS) in late April issued a notice of enforcement discretion regarding fines for violations of HIPAA (Health Insurance Portability and Accountability Act) and its privacy, security and breach rules.

hhs-resets-hipaa-finesThe fine structure was established in 2009 with a piece of legislation titled  the Health Information Technology for Economic and Clinical Health (HITECH) Act, which capped penalties for a single company at $1.5 million a year.

HHS, however, has concluded that HITECH contains “apparently inconsistent language,” leading to confusion over how much a company can be fined in a year for a continuing violation.

Thus, HHS announced, “As a matter of enforcement discretion, and pending further rulemaking, HHS will apply a different cumulative annual CMP [Civil Monetary Penalty] limit for each of the four penalties tiers in the HITECH Act.”

Further, as a result of a review by the HHS Office of General Counsel, “HHS has determined that the better reading of the HITECH Act is to apply annual limits” based on the level of culpability.

Accordingly, the four tiers and their maximum penalties now look like this:

  • Tier 1: $100-$500 per violation, capped at $25,000 per year the issue persisted.
  • Tier 2: $1,000-$50,000 per violation, capped at $100,000 per year the issue persisted
  • Tier 3: $10,000-$50,000 per violation, capped at $250,000 per year the issue persisted
  • Tier 4: $50,000 per violation, capped at $1.5 million per year the issue persisted

The tiers rise in severity based upon “culpability” — from an organization that is unaware of the violation to one that demonstrates “willful neglect.”

HIPAA rules apply to any group health plan sponsored by any employer. In particular, plan administrators, health care providers, insurance companies, and their business associates are liable.

In 2018, HHS collected an all-time high of $28.7 million in fines from HIPAA enforcement actions. This beats the previous record of $23.5 million which HHS levied in 2006. ο


NOTE: The details in this blog are provided for informational purposes only. All answers are general in nature and do not constitute legal advice. If legal advice or other expert assistance is required, the services of a competent professional should be sought. The author specifically disclaims any and all liability arising directly or indirectly from the reliance on or use of this blog.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Comments (required)*