HHS Enforcement Discretion May Dramatically Reduce HIPAA Penalties

HHS has issued a Notification of Enforcement Discretion to announce a change in its application of the regulations governing civil money penalties under HIPAA’s administrative simplification rules. As background, the Health Information Technology for Economic and Clinical Health (HITECH) Act established four categories of violations—and corresponding penalty tiers—that reflect increasing culpability. In interim final regulations (see our Checkpoint article), HHS set minimum and maximum penalty amounts for violations in each tier. Interpreting statutory language that appeared to create conflicting dollar limits for violations of an identical provision during a calendar year, HHS adopted the higher limit of $1.5 million for all four penalty tiers. HHS justified this interpretation as the “most logical” reading of the HITECH Act and consistent with Congress’s intent to strengthen enforcement by increasing penalties. In its 2013 omnibus regulations (see our Checkpoint article), HHS adopted the interim final regulations without changing the penalty tiers or calendar-year limits, again characterizing this approach as the “most logical” reading of the HITECH Act.

The Notification indicates that HHS’s Office of the General Counsel has undertaken “further review” of the statute and determined that the “better reading” of the HITECH Act is to apply the separate calendar-year limits specified for each penalty tier. Under the new interpretation, the dollar caps for violations of identical provisions in a calendar year will be reduced from $1.5 million to the following dollar amounts in the first three tiers:

• Tier 1—Person did not know (and, exercising reasonable diligence, would not have known) of a violation: $25,000
• Tier 2—Violation was due to reasonable cause and not willful neglect: $100,000
• Tier 3—Violation was due to willful neglect and was timely corrected: $250,000

For a Tier 4 violation, involving willful neglect that was not corrected, the $1.5 million cap remains unchanged. The Notification’s penalty structure will be in effect until further notice, subject to annual inflation adjustments (see our Checkpoint article). HHS expects future rulemaking to codify the revised penalties.

EBIA Comment: HIPAA covered entities and business associates are likely to welcome HHS’s revised reading of the HITECH Act. Besides reducing penalties directly, the lower limits should put downward pressure on settlement amounts since penalty caps reduce OCR’s negotiating leverage. This change is somewhat surprising, given that OCR recently boasted that it collected an “all-time” record $28.7 million from enforcement activity in 2018—a number that would have been significantly lower under this revised interpretation. For example, a $4.3 million penalty announced in June 2018 for breach of unencrypted protected health information (see our Checkpoint article) included $3 million in penalties for 2012 and 2013—an amount that would be capped at $200,000 under the new policy. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”) and XX.E (“Civil Monetary Penalties”). You may also be interested in our webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded 2/20/19).

Contributing Editors: EBIA Staff.