May 1, 2019

Penalties for violations of the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) will be capped based on a different cumulative annual limit for each of the four penalty tiers detailed in the HITECH Act of 2009, the Health and Human Services Office of Civil Rights announced in a notification of enforcement discretion published yesterday.

The HITECH Act, which was designed to strengthen HIPAA enforcement by increasing potential civil monetary penalties (CMPs) against healthcare providers for HIPAA violations, established four violation categories, with penalties that increased in parallel with the level of culpability associated with the violation.

The four tiers were: 1) the person did not know (and, by exercising reasonable diligence, would not have known) ($100 for each violation and a maximum of $25,000); 2) the violation was due to reasonable cause and not willful neglect ($1,000 for each violation and a maximum of $100,000; 3) the violation was due to willful neglect that was corrected in a timely manner ($10,000 for each violation and a maximum of $250,000); and 4) the violation was due to willful neglect and not corrected in a timely manner. ($50,000 for each violation and a maximum of $1.5 million).

However, an Interim Final Rule (IFR) issued by Health and Human Services (HHS) in 2009 instead applied the highest annual cap of $1.5 million to all violation types in the belief that this maximum more accurately reflected Congress’s intent to strengthen HIPAA enforcement.  The IFR was adopted as a final rule in 2013 without change to the penalty tiers or annual limits.

HHS has since determined that applying annual limits based on the four original penalty tiers better reflects the intent of the HITECH Act, and announced that it will use this structure, as adjusted for inflation, until further notice.

“Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits as . . . $25,000 for no knowledge, $100,000 for reasonable cause, $250,000 for corrected willful neglect, and $1.5 million for uncorrected willful neglect,” wrote OCR Director Roger Severino.

The agency said that it also anticipates making future revisions in the penalty tiers to better reflect the HITECH Act.

The notification of enforcement discretion follows a year marked by 10 settlements and record-breaking enforcements of $28 million against healthcare providers and insurers for inadequate responses to data breaches. These included a $4.3 million HIPAA penalty against MD Anderson Cancer Center for three separate data breaches caused by the theft of unencrypted devices and other alleged violations. The provider has appealed the decision, arguing that the CMP is unlawful and that OCR exceeded its authority in issuing a penalty beyond HIPAA’s statutory limits.  The OCR also ended 2018 with a $3 million settlement with Cottage Health stemming from breaches affecting 62,500 people in 2013 and 2015.

At the same time, hackers have continued to target healthcare providers and insurers. A JAMA study published last September reported that healthcare data breaches have increased every year from 2010 to 2017, with healthcare providers accounting for 70 percent of the breaches. In addition, a new Malwarebytes report revealed a 195 percent increase in ransomware attacks on businesses in the first quarter of 2019, and an annual FBI report found healthcare-related crimes involving a total of $4.5 million in losses from 337 victims.

All of these developments should serve as a reminder to healthcare providers of the need for unswerving vigilance regarding HIPAA and the protection of healthcare data and devices from malicious intrusion. Also see our eAlert regarding recent HHS publications on cybersecurity best practices for healthcare organizations.