Under the Obama administration, HHS had adopted a $1.5 million cap per calendar year for all violations of an identical HIPAA provision. That's being undone.
Being caught in violation of the Health Insurance Portability and Accountability Act (HIPAA), even if you had no idea you were doing anything wrong, could have in recent years resulted in financial penalties capped at $1.5 million annually per violation type. But not anymore.
Health and Human Services said in a "notification of enforcement discretion" released late Friday that the department will impose lower annual penalty caps for all but the most-severe tier of HIPAA violations. The annual cap for unwitting offenses has dropped by more than $1.4 million.
The change, which is being rolled out on an interim basis pending further rulemaking, rejects the Obama administration's interpretation of penalty provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act. While the Obama administration had determined that "apparently inconsistent language" in the law's penalty breakdown meant the government could adopt a $1.5 million cap across the board, the Trump administration has determined that "the better reading" of the law would apply lower caps for lower-tier offenses.
There are four tiers of HIPAA violation severity outlined in the HITECH Act, based on the violator's level of culpability:
- No knowledge. The person didn't know and wouldn't have known of the violation even if they had exercised reasonability diligence. (Penalty: $100-$50,000 per violation)
- Reasonable cause. The person violated HIPAA due to reasonable cause, not willful neglect. (Penalty: $1,000-$50,000 per violation)
- Willful neglect, corrected. The person's violation resulted from willful neglect that was corrected in a timely fashion. ($10,000-$50,000 per violation)
- Willful neglect, not corrected. The violation resulted from willful neglect and wasn't corrected in a timely fashion. ($50,000 per violation)
Under the Obama administration's interpretation of the HITECH Act's penalty structure, the annual limit for each tier was $1.5 million.
Under the Trump administration's interpretation, the annual limit is $25,000 for tier-one violations, $100,000 for tier-two violations, $250,000 for tier-three violations, and $1.5 million for tier-four violations, according to the HHS notification.
Steven Porter is an associate content manager and Strategy editor for HealthLeaders, a Simplify Compliance brand.
KEY TAKEAWAYS
The annual cap for unwitting HIPAA violations has dropped by more than $1.4 million.
The change stems from differing interpretations of the HITECH Act.
This is being rolled out on an interim basis, with further rulemaking expected.