As of April 30, 2019, the maximum penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA) have new annual limits. These updated penalties will be based on the level of culpability associated with the violation, according to the Department of Health and Human Services (HHS). Organizations that have taken measures to meet HIPAA’s requirements now face a smaller maximum potential penalty than organizations who are found neglectful.
The level of culpability associated with a HIPAA violation is based on four tiers, described in the Health Information Technology for Economic and Clinical Health (HITECH) Act. In order to address “apparently inconsistent language” in HITECH’s penalty scheme, which outlines the minimum and maximum HIPAA enforcement penalties, HHS published a notice of enforcement discretion that further defines the updated fines for the four tiers:
- The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision – $100 to $50,000 per violation, capped at $25,000 per year the issue persisted
- The violation was due to reasonable cause, and not willful neglect – $1,000 to $50,000 per violation, capped at $100,000 per year the issue persisted
- The violation as due to willful neglect that is timely corrected – $10,000 to $50,000 per violation, capped at $250,000 per year the issue persisted
- The violation was due to willful neglect that is not timely corrected – $50,000 per violation, capped at $1.5 million per year the issue persisted
“Upon further review of the statue by the HHS Office of the General Counsel,” the Office for Civil Rights (OCR) Director, Roger Severino wrote, “HHS has determined that the better reading of the HITECH Act is to apply annual limits…$25,000 for no knowledge, $100,000 for reasonable cause, $250,000 for corrected willful neglect, and [$1.5 million] for uncorrected willful neglect.”
These updates come on the heels of a record year for HIPAA enforcement, bringing in an all-time high of $28.7 million in fines for 2018. HLP has previously written about this subject, which can be found here.