HHS Moves to Reduce Fines for HIPAA Violations Based on Level of Culpability

The Department of Health and Human Services (HHS) recently reduced the maximum fines that it can penalize healthcare providers, health plans and their business associates for violations of the Health Insurance Portability and Accountability Act (HIPAA). Based upon a new tiered structure set forth in a notice of enforcement discretion issued by HHS on April 26, 2019, the annual fine limits that can be imposed are lowered based upon an organization’s level of culpability associated with the HIPAA violation.

The previous annual limit set by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was $1,500,000 for every tier, regardless of a party’s culpability. However, the new four-tier structure created by HHS, and enforced by their Office of Civil Rights, sets reduced annual fine limits based on an organization’s level of culpability as set forth in the table below:

• Tier 1:  $100 for each violation, not to exceed $25,000 per calendar year, for parties who did not know and, by exercising reasonable diligence, would not have known that a HIPAA violation occurred
• Tier 2:  $1,000 for each violation, not to exceed $100,000 per calendar year, for parties who violated a HIPAA provision due to reasonable cause, and not willful neglect
• Tier 3:  $10,000 for each violation, not to exceed $250,000 per calendar year, for parties who violated a HIPAA provision due to willful neglect, which was corrected in a timely manner
• Tier 4:  $50,000 for each violation, not to exceed $1,500,000 per calendar year, for parties who violated a HIPAA provision due to willful neglect, which was not corrected in a timely manner

As set forth above, this new four-tier structure escalates in severity and takes into account whether or not an organization knew it was in violation of a HIPAA provision, whether said organization took any steps to comply with HIPAA requirements, and whether the organization quickly mitigated the violation. In fact, a violation that is due to reasonable cause, and not willful neglect, can be corrected with no penalty if appropriate action is taken in a timely fashion.

Please consult with Rebecca J. Maziarz, Jeffrey R. Hantz, or Gabrielle M. Carbonara at Dickie, McCamey & Chilcote, P.C. They have assisted healthcare providers with self-reporting to HHS following a breach. Following inadvertent disclosures, they have successfully directed their clients to a result that found the Office of Civil Rights closing the file without the imposition of fines. They can answer any questions about how these changes may apply to your business.

Rebecca J. Maziarz 412-392-5642 rmaziarz@dmclaw.com

Jeffrey R. Hantz 412-392-5264 jhantz@dmclaw.com

Gabrielle M. Carbonara 412-392-5321 gcarbonara@dmclaw.com

Ms. Maziarz was the Director of Medical Information Management for two Western Pennsylvania hospitals and one in West Virginia. Additionally, she served as a Long Term Care Consultant to area nursing homes. Her background in the healthcare industry provides clients with an invaluable resource and unique perspective into the ever-evolving healthcare landscape.