05/02/2019

HHS Reduces the Annual Cap for Most HIPAA Penalties

HIPAA penalties vary depending on the type of conduct involved. (45 CFR § 160.404). Under HHS's prior interpretation, the types of violations were all subject to an annual maximum penalty of $1,500,000 for identical types of violations. (Id.).

On April 30, 2019, HHS exercised its discretion to lower the annual cap for certain types of penalties as set forth in the following chart:

Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Limit for Identical Violations
Person did not know, and by exercising reasonable diligence would not have known, that person violated HIPAA $100

$114 per most recent inflation adjustment

$50,000

$57,051 per most recent inflation adjustment

$25,000

$28,525 per most recent inflation adjustment

The violation was due to reasonable cause, not willful neglect $1,000

$1,141 per most recent inflation adjustment

$50,000

$57,051 per most recent inflation adjustment

$100,000

$114,102 per most recent inflation adjustment

Person acted with willful neglect, but corrected the violation within 30 days $10,000

$11,182 per most recent inflation adjustment

$50,000

$57,051 per most recent inflation adjustment

$250,000

$285,255 per most recent inflation adjustment

Person acted with willful neglect and failed to correct the violation within 30 days $50,000

$57,051 per most recent inflation adjustment

$50,000

$57,051 per most recent inflation adjustment

$1,500,000

$1,711,533 per most recent inflation adjustment

Before you get too excited about the reduced annual cap, you should remember the following:

  1. The penalty amounts are subject to annual cost of living adjustments. (45 CFR §§ 102 and 160.404(a); see 83 FR 51378).
  2. The new annual caps only apply to identical violations. A single act or omission may result in different violations that are not identical. For example, an impermissible disclosure may violate separate HIPAA requirements, each of which may trigger a different penalty and separate annual cap. (45 CFR § 160.406). Also, the Office for Civil Rights (“OCR”) may impose a separate penalty for each individual whose information was improperly accessed or disclosed. (71 FR 8404-07). In the case of a continuing violation (e.g., the failure to implement a required safeguard or obtain a required business associate agreement), a separate violation occurs each day the covered entity or business associate is in violation of the provision. (45 CFR § 160.406).
  3. If an entity does not act with willful neglect and corrects the violation within 30 days after the covered entity or business associate knew, or by exercising reasonable diligence, would have known of the violation, the OCR may not impose a penalty; such correction is an affirmative defense to penalties. (45 CFR § 160.410(c)). On the other hand, if the entity acts with willful neglect, the relevant penalty is mandatory. (45 CFR § 160.404(b)(iii)-(iv); 75 FR 40876).
  4. A covered entity or business associate is vicariously liable for the violations of their respective agents, including workforce members or business associates acting within the scope of their agency under the federal common law of agency. (45 CFR § 160.402(c)).

In short, HIPAA penalties may add up quickly despite the reduced annual cap on identical types of violations. Covered entities and business associates must ensure that they continue to comply with HIPAA, avoid acting with “willful neglect” at all costs, and correct any violations within 30 days to invoke the affirmative defense to penalties.


For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: kcstanger@hollandhart.com, phone: 208-383-3913

This news update is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

DISCLAIMER

Unless you are a current client of Holland & Hart LLP, please do not send any confidential information by email. If you are not a current client and send an email to an individual at Holland & Hart LLP, you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us, unless we have already agreed to represent you or we later agree to do so. Thus, we may represent a party adverse to you, even if the information you submit to us could be used against you in a matter, and even if you submitted it in a good faith effort to retain us.