Can Business Associates Be Subject to HIPAA Civil Monetary Penalties?

HIPAA-covered business associates handle tasks ranging from health plan payments and health care operations to data storage and processing. For these businesses, being a business associate means HIPAA rules and their related civil monetary penalties apply when HIPAA data privacy, security, and even breach notification rules are violated.

The Department for Health and Human Services (“HHS”) Office for Civil Rights (OCR) enforces HIPAA compliance, including compliance by business associates. They commonly issue penalties when a business associate fails to use protected health information (PHI) correctly, does not observe the minimum security standards, or fails to provide the correct notifications when a data breach occurs.

Civil Monetary Penalties

The penalties associated with HIPAA violations are divided into four tiers, each of which describes the level of knowledge the violator had and the maximum associated penalties.

• Tier 1 – This tier applies when a business associate did not know of the violation and when, in exercising due diligence, the business associate would not have identified the violation. The penalties for this tier range from $100 to $50,000 per violation.
• Tier 2 – When the violation occurs based on a reasonable cause, but not willful neglect, the penalties range from $1,000 to $50,000 per violation. Total violations per provision are capped at $100,000 per calendar year.
• Tier 3 – Willful neglect-related violations, corrected in a timely fashion, are subject to this tier of penalties. These violations are due to intentional failure to comply with the provisions or a reckless indifference to the business associate’s obligation to comply, and the violation was corrected within 30 days of discovery. The penalties range from $10,000 to $50,000 per violation and are capped at $250,000 per provision in a calendar year.
• Tier 4 – The most egregious violations are those of willful neglected that were not corrected in a timely fashion. The minimum penalty is $50,000 per violation and there is no maximum. There is also no cap on penalties in a calendar year.

The penalty ranges give OCR discretion to determine the exact penalty based on their investigation of the situation, the extent of the violation, and the resulting harm. OCR has the ability to resolve matters when corrective action is taken without assessing a penalty or with a combination of corrective action and penalty. While HHS initially adopted a $1.5 million cap for each provision per calendar year, these were reduced based on tier, as discussed above, with Tier 4 not having a cap. These penalties and caps will be adjusted based on inflation in future years.

The experienced, responsive employee benefits attorneys at Hall Benefits Law are here to help plan administrators and business associates stay in compliance with HIPAA to avoid civil monetary penalties. We help plan providers and administrators craft and update documents and procedures to meet current regulations. Learn more about what we do by calling 678-439-6236 or visiting the Hall Benefits Law website.

The following two tabs change content below.

• Bio
• Latest Posts

Hall Benefits Law, LLC

HBL offers employers comprehensive legal guidance on benefits in mergers and acquisitions, Employee Stock Ownership Plans (ESOPs), executive compensation, health and welfare benefits, healthcare reform, and retirement plans. We counsel a wide spectrum of clients including small, mid-sized, and large companies, 401(k) investment advisors, health insurance brokers, accountants, attorneys, and HR consultants, just to name a few. HBL is passionate about advising clients, and we are dedicated to our mission: to provide comprehensive, personalized, and practical ERISA and benefits legal solutions that exceed client expectations.

Latest posts by Hall Benefits Law, LLC (see all)

• Penalties for Failing to Timely File 2023 Forms 1094/1095 - April 18, 2024