Office for Civil Rights Reduces Annual Penalty Caps for Certain Violations Under HIPAA
By LYNDA JOHNSON, TIMOTHY EZELL and AMIE K. ALEXANDER
On April 30, 2019, the Department of Health and Human Services (HHS)'s Office for Civil Rights (OCR) issued notification that it is lowering the maximum total penalties it may assess against covered entities and business associates for multiple violations of HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (HIPAA Rules) in a single year.
Under the HIPAA Rules, Congress initially authorized HHS to impose a maximum Civil Money Penalty (CMP) of $100 for each violation, subject to a calendar year cap of $25,000 for all violations of an identical requirement or prohibition.
Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in February 2009 as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act strengthened HIPAA enforcement by increasing minimum and maximum penalties. It also established different categories of HIPAA violations, with increasing penalty tiers based on the level of culpability associated with the violation.
The HITECH Act provided four levels of culpability:
HHS issued an Interim Final Rule (IFR) in October 2009 to implement the enhanced penalty visions of the HITECH Act. However, the language of the Act led to differing interpretations of its penalty provisions. At the time of the 2009 IFR, HHS's view was that the HITECH Act's penalty provisions were conflicting because they allegedly referenced two levels of penalties for three of the four violation types. Despite the fact that the HITECH Act provided four different annual penalty caps, the IFR concluded that the "most logical reading" of the Act was to apply the highest annual cap of $1.5 million to all violation types. The IFR was adopted by HHS as a Final Rule (the "Enforcement Rule") without change to the penalty tiers and annual limits on January 25, 2013.
The Enforcement Rule's penalty matrix applied the same cumulative annual CMP limit across all four categories of violations based on the level of culpability, as set forth below.
Penalty Tiers Under HHS's 2009 Interpretation (the Enforcement Rule)
This interpretation maximized HHS's enforcement authority in order to further what it believed was Congress's intent to strengthen HIPAA enforcement, but in doing so, ultimately ignored the minimum annual caps provided in the HITECH Act entirely.
The Trump Administration's 2019 Reinterpretation
HHS will now apply a different cumulative annual CMP limit for each of the four penalty tiers, which it considers the better reading of the HITECH Act. These amounts will be adjusted for inflation and are set forth below.
For now, this reinterpretation is only an exercise of OCR's enforcement discretion. However, the Trump Administration has made clear its plans to undertake future rulemaking in order to formalize the reinterpretation into a final rule. Such action would make it much more difficult for future administrations to move back to the prior, higher penalty enforcement matrix.
The lowering of annual CMP limits are certainly more favorable to covered entities and business associates, and more appropriately incentivize covered entities and business associates to act in ways that fall within the lower annual caps, such as taking additional steps to correct willful neglect in a timely manner. Covered entities and business associates should maintain evidence of lack of knowledge, reasonable cause, and timely corrections.
Covered entities and business associates should not take this reinterpretation as a sign that OCR is lessening HIPAA enforcement. OCR just wrapped up a record-breaking year for HIPAA financial enforcement and is showing no signs of slowing down.
Regardless, if you do find yourself working with OCR after a HIPAA breach incident as a covered entity of business associate, taking steps to show OCR that any violations that may have occurred were done without knowledge despite reasonable diligence may mean the difference between a $25,000 penalty cap versus $1.5 million.
Lynda Johnson and Timothy Ezell are both partners at Friday, Eldredge & Clark, LLP.
Amie K. Alexander is an associate. Visit fridayfirm.com.