The Department of Health and Human Services has announced that it is lowering the maximum amount it will assess for most types of HIPAA violations. Although the change is couched as an exercise of discretion, HHS states that it is basing the modifications on a change in its interpretation of the penalty provisions set forth in the Health Information Technology for Economic and Clinical Health Act (HITECH) Act.
As revised, the maximum annual penalty that HHS will assess for any type of HIPAA violation will vary with the entity’s culpability. Previously, this variation applied only to the minimum penalty for each particular violation.
Civil Monetary Penalties |
||
Nature of Offense |
Prior Penalty Limits |
New Penalty Limits |
Did not know and by exercising reasonable diligence would not have known of violation |
$100 to $50,000 per violation Up to $1.5 million per type per year |
$100 to $50,000 per violation Up to $25,000 per type per year |
Violation due to reasonable cause |
$1,000 to $50,000 per violation Up to $1.5 million per type per year |
$1,000 to $50,000 per violation Up to $100,000 per type per year |
Willful neglect but corrected problem |
$10,000 to $50,000 per violation Up to $1.5 million per type per year |
$10,000 to $50,000 per violation Up to $250,000 per type per year |
Willful neglect but did not correct problem |
$50,000 per violation Up to $1.5 million per type per year |
$50,000 per violation Up to $1.5 million per type per year |
The practical effect of these modifications will depend on the extent to which HHS seeks to impose penalties on covered entities and business associates for offenses that did not result from willful neglect and that have not been appropriately corrected. The change in penalties does not alter the basic advice to health care providers and health plans: continue to maintain appropriate safeguards against violations of HIPAA’s privacy and security rules and take prompt action in the event of a breach.
Ballard Spahr attorneys established the Health Care Reform Dashboard as a one-stop resource under the Affordable Care Act. We have expanded the scope of the Dashboard to extend to certain other laws, but continue the mission of providing our readers with information about significant changes affecting health care and health benefits in the United States and to establish a repository for analysis and original source material of significant developments that have occurred over time. Change is ongoing, and we will continue to update the Dashboard to reflect new legislation, administrative guidance, and judicial decisions as they are published.
Copyright © 2019 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.