HHS Reduces Certain HIPAA Penalties

In good news for benefit plan fiduciaries constantly working to keep up with compliance, the Department of Health and Human Services (“HHS”) Office for Civil Rights (OCR) has announced that they are reducing some penalties for HIPAA violations. This includes reducing civil penalties in three of four possible penalty tiers, each of which has an annual limit. These penalties were first introduced in 2013 final regulations after the HHS formally adopted the interim final regulations originally published in 2009 (the “2013 Enforcement Rule”), and the reductions are designed to bring the HIPAA penalty structure in line with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.

Four Penalty Tiers and Maximum Penalty

The new penalty structure was published in the Federal Register on April 30, 2019 and is scheduled to be effective immediately and indefinitely. The new penalty tiers include the following, with annual limits set by the recent Notification of Enforcement Discretion are:

  • No knowledge of a HIPAA violation, which has a $100 penalty per violation and a $25,000 annual limit.
  • Reasonable cause, where the business should have applied a reasonable amount of due diligence and discovered the error, which carries a $1,000 penalty per violation and a $100,000 annual limit.
  • Willful neglect corrected in a timely fashion, which carries a $10,000 penalty per violation and a $250,000 annual limit.
  • Willful neglect not corrected in a timely fashion, which carries a $50,000 penalty per violation and a $1.5 million annual limit.

HHS has announced this new penalty structure, which it anticipates adjusting for inflation in the future and plans to apply until further notice. However, HHS also expects that future rulemaking in regards to implementing the HITECH Act may result in revisions to the announced penalty structure. Their goal is to comply with both HIPAA and HITECH’s provisions while also keeping the penalties for the two in line.

The OCR had a strong year in 2018 for enforcement actions, including over $23.5 million in settlements and judgements. This included a settlement with Cottage Health for three million regarding patient data breaches that occurred in 2013 and 2015. Another penalty for over four million dollars, concerning three patient data breaches by MD Anderson, is being appealed. The appeal argues, in part, that the penalty is beyond the statutory cap allowed by HIPAA.

Changes in the regulatory landscape occur regularly and the team of experienced ERISA attorneys at Hall Benefits Law work to stay on top of each change and determine how it applies to our clients. While no one wants to pay a penalty for an alleged violation, it’s important to understand what HHS is looking at in regards to HIPAA violations, how they view different potential problems, and which issues are considered most egregious. To learn more about the services we offer, reach out to our team by calling 678-439-6236, or visit the Hall Benefits Law website.

The following two tabs change content below.

Hall Benefits Law, LLC

HBL offers employers comprehensive legal guidance on benefits in mergers and acquisitions, Employee Stock Ownership Plans (ESOPs), executive compensation, health and welfare benefits, healthcare reform, and retirement plans. We counsel a wide spectrum of clients including small, mid-sized, and large companies, 401(k) investment advisors, health insurance brokers, accountants, attorneys, and HR consultants, just to name a few. HBL is passionate about advising clients, and we are dedicated to our mission: to provide comprehensive, personalized, and practical ERISA and benefits legal solutions that exceed client expectations.

Latest posts by Hall Benefits Law, LLC (see all)