In good news for benefit plan fiduciaries constantly working to keep up with compliance, the Department of Health and Human Services (“HHS”) Office for Civil Rights (OCR) has announced that they are reducing some penalties for HIPAA violations. This includes reducing civil penalties in three of four possible penalty tiers, each of which has an annual limit. These penalties were first introduced in 2013 final regulations after the HHS formally adopted the interim final regulations originally published in 2009 (the “2013 Enforcement Rule”), and the reductions are designed to bring the HIPAA penalty structure in line with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
Four Penalty Tiers and Maximum Penalty
The new penalty structure was published in the Federal Register on April 30, 2019 and is scheduled to be effective immediately and indefinitely. The new penalty tiers include the following, with annual limits set by the recent Notification of Enforcement Discretion are:
- No knowledge of a HIPAA violation, which has a $100 penalty per violation and a $25,000 annual limit.
- Reasonable cause, where the business should have applied a reasonable amount of due diligence and discovered the error, which carries a $1,000 penalty per violation and a $100,000 annual limit.
- Willful neglect corrected in a timely fashion, which carries a $10,000 penalty per violation and a $250,000 annual limit.
- Willful neglect not corrected in a timely fashion, which carries a $50,000 penalty per violation and a $1.5 million annual limit.
HHS has announced this new penalty structure, which it anticipates adjusting for inflation in the future and plans to apply until further notice. However, HHS also expects that future rulemaking in regards to implementing the HITECH Act may result in revisions to the announced penalty structure. Their goal is to comply with both HIPAA and HITECH’s provisions while also keeping the penalties for the two in line.
The OCR had a strong year in 2018 for enforcement actions, including over $23.5 million in settlements and judgements. This included a settlement with Cottage Health for three million regarding patient data breaches that occurred in 2013 and 2015. Another penalty for over four million dollars, concerning three patient data breaches by MD Anderson, is being appealed. The appeal argues, in part, that the penalty is beyond the statutory cap allowed by HIPAA.
Changes in the regulatory landscape occur regularly and the team of experienced ERISA attorneys at Hall Benefits Law work to stay on top of each change and determine how it applies to our clients. While no one wants to pay a penalty for an alleged violation, it’s important to understand what HHS is looking at in regards to HIPAA violations, how they view different potential problems, and which issues are considered most egregious. To learn more about the services we offer, reach out to our team by calling 678-439-6236, or visit the Hall Benefits Law website.
Hall Benefits Law, LLC
Latest posts by Hall Benefits Law, LLC (see all)
- March 2024 | HBL Attorneys Visit Atlanta HQ - March 28, 2024