HHS Adjusts Penalties for HIPAA Violations
Abstract
New annual limits reflect the level of culpability when violations occur and whether corrective action was taken.
The Department of Health and Human Services (HHS) has changed the annual maximum penalties for violating the Health Insurance Portability and Accountability Act (HIPAA). The annual maximum penalties were previously capped at $1.5 million for every tier of violation. Now the annual limit is different for each tier, with only violators who demonstrate willful neglect and failure to correct violations facing a potential $1.5 million annual penalty (see table). The new penalties went into effect in April.
In a notice published in the April 30 Federal Register, HHS cited “inconsistent language” in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which established the tiers in 2009, as the impetus for the changes.
“Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply [the new] annual limits,” Roger Severino, director of the HHS Office for Civil Rights, wrote. “HHS expects to engage in future rulemaking to revise the penalty tiers in the current regulation to better reflect the text of the HITECH Act.”
The tiers are defined as follows:
Tier 1: The person did not know and, by exercising reasonable diligence, would not have known that the person violated the provision.
Tier 2: The violation was due to reasonable cause and not willful neglect.
Tier 3: The violation was due to willful neglect that was corrected in a timely manner.
Tier 4: The violation was due to willful neglect that was not corrected in a timely manner.
APA offers HIPAA guides for members, including “APA’s HIPAA Privacy Rule Manual: A Guide for Your Psychiatric Practice” and “APA HIPAA Security Rule Manual.” They are posted here. ■
“Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties” is posted here.