HHS updated the maximum it will penalize providers, health plans and their business associates in the wake of HIPAA violations, in some cases dropping the upper limit by more than $1 million.
The new system sets annual limits for these fines based on the organization's "level of culpability" associated with the HIPAA violation, according to the department's notice of enforcement discretion released late Friday. That means organizations that have taken measures to meet HIPAA's requirements will face a much smaller maximum penalty than those who are found neglectful.
The Health Information Technology for Economic and Clinical Health Act, better known as the HITECH Act, outlines minimum and maximum civil money penalties for HIPAA enforcement based on four tiers, which take into account whether the organization in question was aware of the violation and whether it had taken steps to abide by HIPAA's rules. The tiers escalate in severity, from an organization that is unaware of the violation to one that demonstrated "willful neglect" in not correcting violations.
The HITECH Act's penalty scheme, however, included "apparently inconsistent language" according to HHS, leading to confusion over the maximum penalty an organization could be fined per year that a violation persisted. As part of a final rule HHS adopted in 2013, the department set a static upper limit of $1.5 million per year that an issue was present, regardless of tier.
HHS decided to change this structure.
"Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits" based on the level of culpability, according to the notice.
The possible penalties for each tier now look like this:
- Tier 1: $100-$50,000 per violation, capped at $25,000 per year the issue persisted
- Tier 2: $1,000-$50,000 per violation, capped at $100,000 per year the issue persisted
- Tier 3: $10,000-$50,000 per violation, capped at $250,000 per year the issue persisted
- Tier 4: $50,000 per violation, capped at $1.5 million per year the issue persisted
The updated annual caps are interim figures pending further rulemaking, according to the notice.
Last year marked a record year for HIPAA enforcements, as HHS collected an all-time high of $28.7 million from HIPAA-covered entities and their business associates. That surpassed the previous record of $23.5 million, which HHS doled out in 2016.
Correction: An earlier version of this story misstated the possible penalties for Tier 1. This error has been corrected.