The Department of Health and Humans Services has issued a notification of enforcement discretion in which they have reduced the maximum financial penalty for three of the four HIPAA violation tiers.
The notification, entitled ‘Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties’, was published on April 20th.
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act increased the penalties for HIPAA violations from their original values.
The penalties were divided into tiers based on how much a HIPAA covered entity (CE) or their business associate (BA) knew about the violation and if the entity took any corrective action in response.
The tiers are as follows:
Tier 1: A violation that the CE was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
Tier 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of wilful neglect of HIPAA Rules)
Tier 3: A violation suffered as a direct result of “wilful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
Tier 4: A violation of HIPAA Rules constituting wilful neglect, where no attempt has been made to correct the violation
On January 25, 2013, the HHS implemented an interim final rule (IFR). This introduced the new penalty structure. However, there were complaints about ‘inconsistencies’ in the language of the HITECH Act with respect to the maximum fines. The HHS determined at the time that the most sensible interpretation was to enforce the same maximum penalty cap of $1,500,000 across all four penalty tiers.
The HHS has now reviewed the language of the HITECH Act and believes a more logical reading of HITECH would be for the annual penalty caps to be different in three of the four tiers to better reflect the level of culpability. The minimum and maximum amounts in each tier will remain unchanged.
New Maximum Annual Penalties for HIPAA Violations
Tier 1: $25,000
Tier 2: $100,000
Tier 3: $250,000
Tier 4: $1,500,000
The HHS notes that its notification of enforcement discretion creates no legal obligations and no legal rights. Therefore, the Office of Management and Budget will not be required to review it.
The new penalty caps will be adopted by the HHS until further notice and will continue to be adjusted annually to account for inflation. The HHS expects to engage in further rule-making to review the penalty amounts to better reflect the text of the HITECH Act.