HHS Reduces the Annual Cap for Most HIPAA Penalties

HIPAA penalties vary depending on the type of conduct involved. (45 CFR § 160.404). Under HHS's prior interpretation, the types of violations were all subject to an annual maximum penalty of $1,500,000 for identical types of violations. (Id.).

On April 30, 2019, HHS exercised its discretion to lower the annual cap for certain types of penalties as set forth in the following chart:

Before you get too excited about the reduced annual cap, you should remember the following:

1. The penalty amounts are subject to annual cost of living adjustments. (45 CFR §§ 102 and 160.404(a); see 83 FR 51378).
2. The new annual caps only apply to identical violations. A single act or omission may result in different violations that are not identical. For example, an impermissible disclosure may violate separate HIPAA requirements, each of which may trigger a different penalty and separate annual cap. (45 CFR § 160.406). Also, the Office for Civil Rights (“OCR”) may impose a separate penalty for each individual whose information was improperly accessed or disclosed. (71 FR 8404-07). In the case of a continuing violation (e.g., the failure to implement a required safeguard or obtain a required business associate agreement), a separate violation occurs each day the covered entity or business associate is in violation of the provision. (45 CFR § 160.406).
3. If an entity does not act with willful neglect and corrects the violation within 30 days after the covered entity or business associate knew, or by exercising reasonable diligence, would have known of the violation, the OCR may not impose a penalty; such correction is an affirmative defense to penalties. (45 CFR § 160.410(c)). On the other hand, if the entity acts with willful neglect, the relevant penalty is mandatory. (45 CFR § 160.404(b)(iii)-(iv); 75 FR 40876).
4. A covered entity or business associate is vicariously liable for the violations of their respective agents, including workforce members or business associates acting within the scope of their agency under the federal common law of agency. (45 CFR § 160.402(c)).

In short, HIPAA penalties may add up quickly despite the reduced annual cap on identical types of violations. Covered entities and business associates must ensure that they continue to comply with HIPAA, avoid acting with “willful neglect” at all costs, and correct any violations within 30 days to invoke the affirmative defense to penalties.

For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: kcstanger@hollandhart.com, phone: 208-383-3913

This news update is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.