Changes to HHS’ Interpretation of HIPAA Civil Monetary Penalties

On Friday April 26, 2019, the US Department of Health and Human Services (“HHS”) issued a notification regarding HHS’ use of Civil Monetary Penalties (“CMP”) under the Health Insurance Portability and Accountability Act (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  https://www.federalregister.gov/documents/2019/04/30/2019-08530/enforcement-discretion-regarding-hipaa-civil-money-penalties.  The notice provides: “As a matter of enforcement discretion, and pending further rulemaking, HHS will apply a different cumulative annual CMP limit for each of the four penalty tiers in the HITECH Act.”

The HITECH Act implemented a tiered penalty scheme for violations of HIPAA.  That tiered approach was dependent on the level of culpability associated with the violation.  At the lowest level of culpability -when the “person did not know (and by exercising reasonable diligence would not have known)” of the violation – the penalty was established at $100 for each violation “except that the total amount imposed on the person for all such violations may not exceed $25,000.”  Each level of culpability had successively higher penalties attached.  At the top tier – when the violation was due to willful neglect- the penalty is $50,000 for each violation “except that the total amount imposed on the person for all such violations may not exceed $1.5 million.”  P.L. 111-5, Section 13410(d); codified at 42 U.S.C. §1320d–5.  However, the statutory language included some unclear language, as noted in the preamble to the regulations implementing the statute.

In adopting the HITECH Act’s penalty scheme, the Department recognized that section 13410(d) contained apparently inconsistent language (i.e., its reference to two penalty tiers ‘‘for each violation,’’ each of which provided a penalty amount ‘‘for all such violations’’ of an identical requirement or prohibition in a calendar year). To resolve this inconsistency, with the exception of violations due to willful neglect that are not timely corrected, the [Interim Final Rule] adopted a range of penalty amounts between the minimum given in one tier and the maximum given in the second tier for each violation and adopted the amount of $1.5 million as the limit for all violations of an identical provision of the HIPAA rules in a calendar year. For violations due to willful neglect that are not timely corrected, the IFR adopted the penalty amount of $50,000 as the minimum for each violation and $1.5 million for all such violations of an identical requirement or prohibition in a calendar year.

78 Fed. Reg. 5566, 5582 (Jan. 25, 2013) (emphasis added).

At the time, HHS chose to interpret Congress’ meaning to allow it to impose the highest fine ($50,000) and the highest aggregate amount ($1.5 million) for every tier category – regardless of the tier and degree of culpability of the covered entity.  Under that scheme, the penalty assessment was as follows:

The interpretation above arguably turned the four tier approach set forth in the statute into a two tier approach.  However, as of April 26, 2019, HHS “[u]pon further review of the statute by the HHS Office of the General Counsel” HHS has determined that “all HIPAA enforcement actions will be governed” by a revised set of penalty tiers that mirrors the statute’s four tiers.  The new penalty tiers will be as follows.

HHS also noted that it would engage in future rulemaking “to revise the penalty tiers in the current regulation to better reflect the text of the HITECH Act.”  With these changes, organizations with robust privacy and security compliance programs (with strong reporting mechanisms) may see an advantage of being in the lower penalty tiers in the event a violation occurs.