• HHS Moves to Reduce Fines for HIPAA Violations Based on Level of Culpability
  • May 7, 2019 | Authors: Jeffrey R. Hantz; Gabrielle M. Carbonara; Rebecca J. Maziarz
  • Law Firm: Dickie, McCamey & Chilcote, P.C. - Pittsburgh Office
  • The Department of Health and Human Services (HHS) recently reduced the maximum fines that it can penalize healthcare providers, health plans and their business associates for violations of the Health Insurance Portability and Accountability Act (HIPAA). Based upon a new tiered structure set forth in a notice of enforcement discretion issued by HHS on April 26, 2019, the annual fine limits that can be imposed are lowered based upon an organization’s level of culpability associated with the HIPAA violation.

    The previous annual limit set by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was $1,500,000 for every tier, regardless of a party’s culpability. However, the new four-tier structure created by HHS, and enforced by their Office of Civil Rights, sets reduced annual fine limits based on an organization’s level of culpability as set forth in the table below:

    Tier 1: $100 for each violation, not to exceed $25,000 per calendar year, for parties who did not know and, by exercising reasonable diligence, would not have known that a HIPAA violation occurred

    Tier 2: $1,000 for each violation, not to exceed $100,000 per calendar year, for parties who violated a HIPAA provision due to reasonable cause, and not willful neglect

    Tier 3: $10,000 for each violation, not to exceed $250,000 per calendar year, for parties who violated a HIPAA provision due to willful neglect, which was corrected in a timely manner

    Tier 4: $50,000 for each violation, not to exceed $1,500,000 per calendar year, for parties who violated a HIPAA provision due to willful neglect, which was not corrected in a timely manner

    As set forth above, this new four-tier structure escalates in severity and takes into account whether or not an organization knew it was in violation of a HIPAA provision, whether said organization took any steps to comply with HIPAA requirements, and whether the organization quickly mitigated the violation. In fact, a violation that is due to reasonable cause, and not willful neglect, can be corrected with no penalty if appropriate action is taken in a timely fashion.

    Please consult with Rebecca J. Maziarz, Jeffrey R. Hantz, or Gabrielle M. Carbonara at Dickie, McCamey & Chilcote, P.C. They have assisted healthcare providers with self-reporting to HHS following a breach. Following inadvertent disclosures, they have successfully directed their clients to a result that found the Office of Civil Rights closing the file without the imposition of fines. They can answer any questions about how these changes may apply to your business.