HHS moves to reduce HIPAA fines, lowering the cap more than $1M for some violations

The Department of Health and Human Services (HHS) adjusted the monetary penalties it imposes on healthcare providers, health plans and their business associates for violating the Health Insurance Portability and Accountability Act (HIPAA), lowering the annual cap for the least-severe violation from $1.5 million to $25,000.

HHS said the new tier structure is based on culpability and sets different annual limits for fines based on four penalty tiers, according to a notice of enforcement discretion (PDF) issued Friday. Healthcare organizations that have taken steps to comply with HIPAA requirements or work quickly to mitigate violations face a smaller maximum penalty than organizations found neglectful.

Prior to the changes, the annual limit was $1.5 million for every tier.

Matthew Fisher, a partner with Boston-based law firm Mirick O’Connell and chair of the firm’s health law group, told FierceHealthcare that reducing the maximum penalties is inconsistent with the direction of recent Office for Civil Rights (OCR) settlements. "It is arguably good in terms of aligning potential penalties with the level of culpability," though, he said.

"If a violation was clearly unintentional and without knowledge, why should a potentially massive fine follow. While the discretion existed, the interpretation will now be binding and remove the potential uncertainty," Fisher said. He added that HIPAA fines only occur in a vast minority of instances, so the penalty changes, while grabbing attention, may not have much practical impact.

RELATED: HHS' Office for Civil Rights reports $28.7M in payments for record HIPAA enforcement year

HHS' OCR had a record year for HIPAA settlements in 2018. OCR settled 10 cases and secured one judgment totaling $28.7 million in fines for healthcare provider and health-related companies' violations of the privacy law, 22% higher than the previous record of $23.5 million in 2016.

Through its latest enforcement, HHS adjusted the fine structure to match the increasing levels of culpability.

The penalty structure is now:

  • Tier 1 (no knowledge of violation): $100 to $50,000 per violation; capped at $25,000 per year
  • Tier 2 (reasonable cause): $1,000 to $50,000 per violation; capped at $100,000 per year 
  • Tier 3 (willful neglect, corrected): $10,000 to $50,000 per violation: capped at $250,000 per year 
  • Tier 4 (willful neglect, not corrected): $50,000 per violation; capped at $1.5 million per year 

The annual limit is per year for every year the violation persisted. For example, an organization that had a security or privacy violation due to willful neglect that went uncorrected for several years could still face hefty fines well above $1.5 million.

Former OCR official Deven McGraw, who now serves as the chief regulatory officer at Ciitizen, said the changes could have a significant impact and provides less incentive for organizations to fix lax security and privacy practices. While the minimum penalty level for any particular violation has not changed, HHS is adopting a much lower annual cap for all violations except those due to willful neglect which means significantly lower penalties for large breaches and for ongoing, persistent violations of the rules, McGraw said.

An example of an ongoing, persistent violation would be an organization failing to do a HIPAA security risk assessment and risk management plan for an entire year, 

"Arguably the incentive to fix these persistent failures is much less because the potential fines for failing to do so will not be very large. Same is true for large breaches—if you breach 100 records, at a minimum penalty of $1,000 for a breach due to reasonable cause, your fine would be $100,000—which is the annual cap," McGraw said. However, a breach larger than 100 records, for example, a breach of 1,000 records, would still expose organizations to the same maximum penalty of $100,000, as long as the breach was due to reasonable cause and not willful neglect, she noted.

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) strengthened HIPAA enforcement by increasing minimum and maximum potential civil monetary penalties, according to HHS. The fines were structured into four tiers based on the organizations' culpability, such as whether organization leaders were aware of the violation and took steps to address it. The lower tier includes organizations that were not aware of a HIPAA violation, and the most-severe category describes "willful neglect" that was not corrected in a timely manner.

The HITECH Act's fine structure, however, included "apparently inconsistent language," according to HHS, leading to confusion over the maximum fine that could be imposed on an organization for each year a violation persisted. As part of a final rule HHS adopted in 2013, the department set a static maximum cap of $1.5 million per year that a privacy or security violation was present, regardless of severity.

"There has always been some confusion about the formal penalty provisions of the rules. While there are four categories with different lower level amounts, the rule could be read to make the higher end the same for all of the categories," Kirk Nahra, a privacy attorney with WilmerHale, told Fierce Healthcare. "This is an indication that OCR generally will treat different levels of 'blame' differently, but that has generally been their practice in any event." 

McGraw broke down what the updated fine structure would mean for a tier 2 HIPAA violation (reasonable cause). With the previous interpretation, a healthcare organization that reported a single breach of 5,500 patient records would face a $1.5 million fine (the total would actually be 5,500 records multiplied by $1,000 for a total of $5.5 million but it hits the $1.5-million cap). Under HHS' current interpretation, the fine for that same violation would be capped at $100,000.

Another example would a hospital flagged with a HIPAA violation for failing to encrypt mobile devices going back two years. Hospital leaders recognized it needed to encrypt and had a plan in place but never executed it. Under the old interpretation, that hospital would have faced a $730,000 fine, but under the updated structure, the fine would be capped at $200,000, or $100,000 for each year of the violation.

HHS plans to use the new penalty tier structure until further notice, and it expects to engage in future rule-making to revise the penalty tiers in the current regulation to better reflect the text of the HITECH Act, HHS said.