Privacy and Security

HHS Lowers Maximum Fines Set for HIPAA Violations

The US Department of Health and Human Services (HHS) announced last week that it is capping the civil monetary penalties that can be assessed to covered entities, business associates, and health plans for HIPAA violations. This regulation bases a new tier structure on a covered entity’s “level of culpability,” according to HHS. For example, it lowers the annual cap for the least severe violations from $1.5 million to $25,000.

By switching to a penalty system that’s based on a covered entity’s “level of culpability,” HHS will now assess penalties based on whether an organization has taken steps to comply with HIPAA requirements, such as conducting risk analyses, or whether it has willfully ignored such requirements or is found to be neglectful. In 2013, the HITECH Act strengthened the HHS Office for Civil Rights’ enforcement and set a static upper limit of $1.5 million per year that an issue was present. However, in the new regulation, HHS acknowledges that HITECH’s penalty tier system included “apparently inconsistent language,” which led to confusion.

“Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits” based on level of culpability the new HHS notice states.

The new annual caps, which are set on an interim basis pending new rulemaking, are:

  • Tier 1: $100-$50,00 per violation, capped at $25,000 per year the issue persisted
  • Tier 2: $1,000-$50,000 per violation, capped at $100,000 per year the issue persisted
  • Tier 3: $10,000-$50,000 per violation, capped at $250,000 per year the issue persisted
  • Tier 4: $50,000 per violation, capped at $1.5 million per year the issue persisted
In an interview with Fierce Healthcare, Matthew Fisher, a partner with Boston-based law firm Mirick O’Connell said this change, while inconsistent with the direction of recent OCR settlements, is a good thing.

“If a violation was clearly unintentional and without knowledge, why should a potentially massive fine follow. While the discretion existed, the interpretation will now be binding and remove the potential uncertainty,” Fisher said.

[author] [author_image timthumb='on']/Portals/0/uploads/content_hub/Mary-Butler-author-photo.jpg[/author_image] [author_info]Mary Butler is associate editor at Journal of AHIMA.[/author_info] [/author]

Tags: HIPAA , privacy and security