5/3/19

Health Care Alert: HHS Exercises Enforcement Discretion to Reduce Maximum Annual Penalties for HIPAA Breaches

Related Practices

Related Industries

Related Insights

Attorneys & Professionals

On April 30, 2019, the U.S. Department of Health and Human Services (HHS) published a notification of enforcement discretion in the Federal Register revising the maximum annual penalty amounts for breaches under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), established four tiers of culpability for a “breach,” defined as a use or disclosure of protected health information (PHI) that violates HIPAA requirements and that compromises the security or privacy of the PHI.1  Under this framework, the penalties that may be assessed for a breach increase depending on whether: (1) the person did not know (and, by exercising reasonable diligence, would not have known) that he or she violated HIPAA; (2) the violation was due to reasonable cause, and not willful neglect; (3) the violation was due to willful neglect that was timely corrected; or (4) the violation was due to willful neglect that was not timely corrected.2

By statute, both the minimum and maximum annual penalties for a HIPAA violation vary based on these tiers of culpability.  However, in October 2009, HHS issued an interim final rule taking the view that the HITECH Act’s penalty provisions were “conflicting” and that “the most logical reading” of the law was to apply the highest annual maximum penalty – $1.5 million – to all four levels of breaches.3  Accordingly, HHS implemented the following penalty structure for HIPAA breaches:

Culpability

Minimum Penalty per Violation

Maximum Penalty per Violation

Annual Limit

No Knowledge

$100

$50,000

$1,500,000

Reasonable Cause

$1,000

$50,000

$1,500,000

Willful Neglect – Corrected

$10,000

$50,000

$1,500,000

Willful Neglect – Not Corrected

$50,000

$50,000

$1,500,000

This interpretation has had a drastic effect for entities subject to HIPAA requirements, including health care providers, insurance companies, and employee benefit plans.  For example, in June 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center (Anderson) must pay the maximum annual penalty of $1,500,000 per year for the years 2012 and 2013, despite the fact that the breaches at issue occurred at only the second (“Reasonable Cause”) level of culpability.4  Although Anderson explicitly argued that these penalty amounts were inconsistent with the statutory text of HIPAA, the ALJ stated in his decision that he lacked authority to second-guess the agency’s interpretation.5

Now, according to the recent Federal Register notice, HHS has reversed its position, and the following penalty structure (as adjusted for inflation) will be used until further notice:

Culpability

Minimum Penalty per Violation

Maximum Penalty per Violation

Annual Limit

No Knowledge

$100

$50,000

$25,0006

Reasonable Cause

$1,000

$50,000

$100,000

Willful Neglect – Corrected

$10,000

$50,000

$250,000

Willful Neglect – Not Corrected

$50,000

$50,000

$1,500,000

The notification of enforcement discretion is available in full here.

If you have questions about HIPAA, the changes announced in this notification, or their impact on your organization, please contact Lisa Reisz, Jonathan Ishee, Liam Gruzs, Mairi Mull, or your regular Vorys attorney.

______________

1 45 C.F.R. § 164.402.

2 42 U.S.C. § 17939.

3 See HIPAA Administrative Simplification: Enforcement, 74 FR 56123, 56127 (Oct. 30, 2009).

4 See The University of Texas MD Anderson Cancer Center, DAB No. CR5111 (2018).

5 Id. Anderson appealed the ALJ’s decision in the Fifth Circuit U.S. Court of Appeals earlier this month.

6 As stated in the Federal Register, at the “No Knowledge” level of culpability, the maximum annual penalty is less than the maximum penalty per violation.  Presumably, this discrepancy will be addressed in the future rulemaking HHS has indicated it plans to undertake.