The Office for Civil Rights (OCR) recently reinterpreted the HIPAA penalty structure to reduce the maximum annual penalty amounts:

• When a covered entity does not know about the violation

Reduced annual amount from $1.5 million to $25,000

• When the violation was due to “reasonable cause” or circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the provision violated.

Reduced annual amount from $1.5 million to $100,000

• When the violation was due to willful neglect (conscious, intentional failure or reckless indifference to the obligation to comply) but it is timely corrected –

Reduced annual amount from $1.5 million to $250,000

OCR maintained the highest penalties for violations due to willful neglect that are not corrected (annual limit of $1.5 million).

OCR’s Former Interpretation of the HIPAA Penalty Structure

In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act which established four categories of HIPAA violations with penalty tiers based on the level of culpability. In 2013, OCR set a limit of $1.5 million per calendar year for any ongoing HIPAA violation regardless of the level of culpability.

Revised HIPAA Penalty Framework

After reviewing the CMP structure, OCR issued a Notification of Enforcement Discretion Action Regarding HIPAA Civil Money Penalties in which it announced that it determined the HITECH Act’s penalty scheme had “inconsistent language” which led to confusion over the maximum penalty limits that were in place for ongoing HIPAA violations.  OCR reduced the maximum annual penalty amounts for instances when a covered entity does not know about the violation, when the violation was due to “reasonable cause” and when the violation was due to willful neglect but it is timely corrected.  The annual limits in these instances are now $25,000, $100,000 and $250,000, respectively.  For violations due to willful neglect that are not corrected, the annual penalty limit remains $1.5 million.

Next Steps for OCR and Health Centers

The reinterpretation of the annual penalty amounts comes after a record-breaking year in which OCR settled 10 cases and was granted summary judgement in one case for total penalties of $28.7 million.  This summer OCR is expected to propose rules on the annual penalty limits and on distributing penalty and settlement amounts to individuals harmed by HIPAA violations.  Health centers should continue to build their HIPAA Compliance Programs to ensure that potential HIPAA violations are identified in timely manner and that the health center responds adequately in order to avoid the highest level of penalties.

FTLF is conducting a two-day workshop in Washington, DC this October focused on managing patient privacy and confidentiality in the health center setting, including HIPAA fundamentals, 42 CFR Part 2 compliance, and developing or improving a HIPAA compliance work plan. Additional details and information regarding registration can be found here.