On April 30, 2019, the Department of Health and Human Services (HHS) published in the Federal Register a notification of enforcement discretion indicating that it will lower the annual Civil Money Penalty (CMP) limits for three of the four penalty tiers in the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The HITECH Act categorizes violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in four tiers based on the violators’ level of culpability for the violation: the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision (Tier 1); the violation was due to reasonable cause, and not willful neglect (Tier 2); the violation was due to willful neglect that is timely corrected (Tier 3); and the violation was due to willful neglect that is not timely corrected (Tier 4).
The maximum penalty per violation for all four tiers was previously $1.5 million. HHS’s new policy states that the annual penalty limit for Tier 1 violations has now been decreased from $1.5 million to $25,000. The new annual penalty limits for Tier 2 and 3 violations are now $100,000 and $250,000, respectively. The penalty limit for Tier 4 violations will remain at $1.5 million.
When HHS reviewed the penalty limits in 2003 in response to public comments, the agency indicated that setting the same annual limit for all four violation tiers “reflect[ed] the most logical reading of the HITECH Act, which provides the Secretary with discretion to impose penalties for each category of culpability up to the maximum amount described in the highest penalty tier.” In explaining the agency’s recent policy change, HHS said that “[u]pon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits [in accordance with the new policy].”
HHS will penalize HIPAA violations in accordance with the new tier limits until further notice. The agency plans to engage in rulemaking to revise the tiers in the regulation. This new maximum penalty structure provides even more incentive for covered entities and business associates to implement robust HIPAA policies and procedures, monitor and audit to detect noncompliance, and correct any instances of noncompliance promptly.