April 30, 2019

HHS notifies the public of new HITECH Act rule allowing lower penalties for less culpable offenders

The US Department of Health and Human Services issued a new rule potentially changing the way Civil Money Penalties (CMPs) are applied under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH).  Until now, the same cumulative annual CMP limit was applied to all categories of violations; henceforward, HHS will apply a different limit for each of the four penalty tiers.

Until 2009, when the HITECH Act was enacted, the maximum CMP per violation was $100, with a $25,000 annual ceiling.  The HITECH Act established four categories for HIPAA violations, increased the CMPs, and made the amount dependent on the level of culpability, which ranged from (1) no knowledge, (2) reasonable cause rather than willful neglect, (3) violation caused by willful neglect but timely corrected, to (4) caused by willful neglect and not timely corrected.  However, the application of the ceiling limits and operation of the four culpability levels remained ambiguous due to the wording of the statute.  The new rule issued by HHS today clarifies the interpretation of the HITECH Act, and provides per-violation CMPs and annual penalty ceilings consistent with the four levels of culpability.  The penalties now range from $100 per violation for no knowledge to $50,000 per violation for willful neglect not corrected.  The annual CMP limits range from $25,000 for no knowledge, to $1,500,000 for willful neglect not corrected.

Federal Register (30 April 2019)