Benefits Insights

No.  Your eyes are not playing tricks on you and there is not a typo in my title.  HHS just announced that it is decreasing the annual limit on HIPAA violations for three of the four tiers of violations.

In 2009, Congress greatly increased the amount of penalties that HHS could assess for HIPAA violations in the HITECH Act.  HITECH established four tiers of violations with increasing penalties based on the level of culpability.  Since enactment of HITECH, there has been controversy around whether the $1,500,000 cap should really be applied to all penalty levels if the penalties were supposed to be tiered based on culpability.   In the final regulations implementing HITECH that were issued in 2013, HHS kept this interpretation and has been issuing penalties based on the following chart:

This week HHS came out with Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties, which stated that upon further review of the statute, HHS has determined a better reading of the statute is to apply a tiered annual limit as well.  Under the new HHS interpretation, the following chart illustrates the new maximum penalties that all HHS HIPAA enforcement actions will use until further notice:

* I don’t understand how the maximum penalty per violation can be more than the annual limit, but this chart is exactly as it appears in the HHS Notification.

While it is good news for covered entities and business associates that HHS is relaxing the annual limit for many violations, these penalties can still add up quickly.  The annual limit applies to each identical violation in a year.   Where a covered entity or business associate has multiple violations (which is often the case where there is a breach), HHS can issue the maximum annual limit penalty for each separate violation.  Also, these penalties are being adjusted for inflation each year, so expect minor increases each year to the annual limits as well.