Menu Close

HHS Exercises Discretion to Modify HIPAA Penalties Based on Culpability

Posted in Privacy and Data Protection, Uncategorized

On April 26, the Department of Health and Human Services (HHS) published a notification that it was exercising its discretion on assessing Civil Money Penalties (CMPs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as such provision was amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The current regulations allow HHS to impose CMP’s as follows:

Current CMP Tiers under the Enforcement Rule

Culpability Minimum Penalty/Violation Maximum Penalty/Violation Annual Limit
No Knowledge $100 $50,000 $1,500,000
Reasonable Cause $1,000 $50,000 $1,500,000
Willful Neglect — Corrected $10,000 $50,000 $1,500,000
Willful Neglect — Not Corrected $50,000 $50,000 $1,500,000

As a matter of enforcement discretion, and pending further rulemaking, HHS will apply a different cumulative annual CMP limit for each of the four penalties tiers in the HITECH Act as follows:

New CMP Tiers under New Notification of Enforcement Discretion

Culpability Minimum Penalty/ Violation Maximum Penalty/Violation Annual
Limit
No Knowledge $100 $50,000 $25,000
Reasonable Cause $1,000 $50,000 $100,000
Willful Neglect — Corrected $10,000 $50,000 $250,000
Willful Neglect —Not Corrected $50,000 $50,000 $1,500,000

This change applies to both covered entities and business associates and means that organizations that have taken measures to meet HIPAA’s requirements will face a much smaller maximum penalty unless there is a finding of willful neglect (i.e., knowledge of violation that is not corrected).

Leave a Reply

Your email address will not be published. Required fields are marked *