A notification of enforcement discretion issued by the Department of Health and Human Services about the civil monetary penalties applied whenever there are HIPAA Rules violations discovered will reduce the maximum financial penalty in three of the current four penalty tiers.
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 imposed higher penalties for HIPAA violations. The penalties depends on the knowledge by a HIPAA covered entity or business associate regarding the violation and if the entity took action voluntarily to resolve any violation.
The 1st penalty tier covers an entity or business associate that is unaware of the HIPAA Rules violation and even with a reasonable level of due diligence did not know the HIPAA violation.
The 2nd tier covers an entity that is aware of the violation or could have known about it with the exercise of a reasonable level of due diligence, yet the HIPAA violation falls short of willful disregard of HIPAA Rules.
The 3rd penalty tier covers entities that willfully neglected HIPAA Rules, but they fixed the issue in 30 days.
The 4th tier covers entities that willfully neglected HIPAA Rules and did not make any effort to resolve the problem on time.
The maximum penalty for all four tiers was $1.5 million for HIPAA violations of equivalent provision in one calendar year.
The HHS enforced an interim final rule (IFR) on January 25, 2013 and utilized the new penalty framework, though there were still disparity in the HITCH Act language with regards to the amounts of penalty. The HHS decided then that the most rational reading of the law is to apply the same maximum $1,500,000 penalty cap on all four tiers of penalty.
After reviewing the language of the HITECH Act, the HHS now believes that the demands of the HITECH Act is to apply different annual penalty caps in three of the four penalty tiers to better indicate the degree of culpability. The minimum and maximum penalty amounts in every tier will stay the same.
Based on the new interpretation of the HITECT ACT, the penalties for HIPAA Violations are as follows:
- Penalty Tier 1 – No knowledge of violation, minimum penalty of $100 per violation, maximum penalty of $50,000 per violation and maximum annual penalty of $25,000
- Penalty Tier 2 – Reasonable Cause, minimum penalty of $1,000 per violation, maximum penalty of $50,000 per violation and maximum annual penalty of $100,000.
- Penalty Tier 3 – Willful Neglect with Corrective Action Taken, minimum penalty of $10,000 per violation, maximum penalty of $50,000 per violation and maximum annual penalty of $250,000.
- Penalty Tier 4 – Willful Neglect without Corrective Action Taken, minimum penalty of $50,000 per violation, maximum penalty of $50,000 per violation and maximum annual penalty of $1,500,000.
On April 30, 2019, the HHS is going to release its notice in the Federal Register. The HHS remarks that this notification of enforcement discretion does not create legal obligations and legal rights. Therefore, it does not require a review by the Office of Management and Budget.
The HHS will adopt the new penalty caps until further announcement and will be modified annually to take inflation into account. The HHS is expected to continue participating in additional rulemaking to evaluate the penalty amounts that better interpret the HITECH Act.