HHS Reduces the Annual Cap for Most HIPAA Penalties
by Kim Stanger
HIPAA penalties vary depending on the type of conduct involved. (45 CFR § 160.404). Under HHS’s prior interpretation, the types of violations were all subject to an annual maximum penalty of $1,500,000 for identical types of violations. (Id.).
On April 30, 2019, HHS exercised its discretion to lower the annual cap for certain types of penalties as set forth in the following chart:
Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Limit for Identical Violations |
Person did not know, and by exercising reasonable diligence would not have known, that person violated HIPAA | $100 $114 per most recent inflation adjustment | $50,000 $57,051 per most recent inflation adjustment | $25,000 $28,525 per most recent inflation adjustment |
The violation was due to reasonable cause, not willful neglect | $1,000 $1,141 per most recent inflation adjustment | $50,000 $57,051 per most recent inflation adjustment | $100,000 $114,102 per most recent inflation adjustment |
Person acted with willful neglect, but corrected the violation within 30 days | $10,000 $11,182 per most recent inflation adjustment | $50,000 $57,051 per most recent inflation adjustment | $250,000 $285,255 per most recent inflation adjustment |
Person acted with willful neglect and failed to correct the violation within 30 days | $50,000 $57,051 per most recent inflation adjustment | $50,000 $57,051 per most recent inflation adjustment | $1,500,000 $1,711,533 per most recent inflation adjustment |
Before you get too excited about the reduced annual cap, you should remember the following:
- The penalty amounts are subject to annual cost of living adjustments. (45 CFR §§ 102 and 160.404(a); see 83 FR 51378).
- The new annual caps only apply to identical violations. A single act or omission may result in different violations that are not identical. For example, an impermissible disclosure may violate separate HIPAA requirements, each of which may trigger a different penalty and separate annual cap. (45 CFR § 160.406). Also, the Office for Civil Rights (“OCR”) may impose a separate penalty for each individual whose information was improperly accessed or disclosed. (71 FR 8404-07). In the case of a continuing violation (e.g., the failure to implement a required safeguard or obtain a required business associate agreement), a separate violation occurs each day the covered entity or business associate is in violation of the provision. (45 CFR § 160.406).
- If an entity does not act with willful neglect and corrects the violation within 30 days after the covered entity or business associate knew, or by exercising reasonable diligence, would have known of the violation, the OCR may not impose a penalty; such correction is an affirmative defense to penalties. (45 CFR § 160.410(c)). On the other hand, if the entity acts with willful neglect, the relevant penalty is mandatory. (45 CFR § 160.404(b)(iii)-(iv); 75 FR 40876).
- A covered entity or business associate is vicariously liable for the violations of their respective agents, including workforce members or business associates acting within the scope of their agency under the federal common law of agency. (45 CFR § 160.402(c)).
In short, HIPAA penalties may add up quickly despite the reduced annual cap on identical types of violations. Covered entities and business associates must ensure that they continue to comply with HIPAA, avoid acting with “willful neglect” at all costs, and correct any violations within 30 days to invoke the affirmative defense to penalties.
For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: kcstanger@hollandhart.com, phone: 208-383-3913
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.