HHS cuts maximum civil monetary penalties for HIPAA violations
The Department of Health and Human Services has issued a notice reducing the maximum civil monetary penalty for all but the most serious HIPAA violations involving uncorrected willful neglect.
HHS is exercising its “enforcement discretion” in how it applies the agency’s regulations concerning the assessment of HIPAA civil money penalties, according to a notification published in the Federal Register.
“Current HHS regulations apply the same cumulative annual (civil monetary penalty) limit across four categories of violations based on the level of culpability,” states the notice. “As a matter of enforcement discretion and pending further rulemaking, HHS will apply a different cumulative annual CMP limit for each of the four penalties tiers in the HITECH Act.”
While a 2013 rule applied a maximum penalty of $1.5 million for all four penalty tiers under the HITECH Act, based on further review of the statute by the HHS Office of the General Counsel, the agency “has determined that the better reading of the HITECH Act” is to reduce the maximum penalty for three of the four tiers as follows: $25,000 for no knowledge, $100,000 for reasonable cause and $250,000 for corrected willful neglect.
However, the maximum penalty for uncorrected willful neglect—the most serious HIPAA violation—remains at $1.5 million.
“HHS will use this penalty tier structure, as adjusted for inflation, until further notice,” states the notification, adding that “this exercise of enforcement discretion is effective indefinitely.”
The announcement comes on the heels of a banner year in 2018 for the HHS Office for Civil Rights, which set an all-time record for HIPAA enforcement activity in terms of overall dollar value.
Last year, OCR also reported the single largest individual HIPAA settlement in history of $16 million with Anthem—a nearly three-fold increase over the previous record settlement of $5.5 million in 2016.