News and Insights / HHS Lowers Caps on Fines for HIPAA Violations Based on Culpability
Article/Mention

Phil Kim in Inside Health Policy: HHS Lowers Caps on Fines for HIPAA Violations Based on Culpability

May 06, 2019

Inside Health Policy quoted Haynes and Boone, LLP Associate Phil Kim in an article about the U.S. Department of Health and Human Services (HHS) decision to lower the caps on fines for individuals who violate the Health Insurance Portability and Accountability Act (HIPAA).

Here is an excerpt:

HHS on Friday (April 26) announced it is lowering the caps on fines for individuals who violate the Health Insurance Portability and Accountability Act (HIPAA) based on the level of culpability -- or how aware the provider was of the violation and what measures were taken to correct it -- setting a single maximum cap per violation and dropping the annual cap for lesser violations by over $1 million.

On Friday, HHS again updated the maximum and minimum limits, keeping the $50,000 maximum cap per violation, but readjusting the annual per-tier cap, dropping it for some tiers by over $1 million. The new tiers, adjusted for inflation, are as follows:

  • The minimum penalty for having no knowledge of the violation is $100 and the annual cap is $25,000.
  • The minimum penalty for a violation with a reasonable cause is $1,000 and the annual cap is $100,000.
  • The minimum penalty for willful neglect that is corrected is $10,000 and the annual cap is $250,000.
  • The minimum penalty for willful neglect that is not corrected is $50,000 and the annual cap is $1.5 million.

According to HHS, the new penalty tier will be used until further notice and the administration said it expects future rulemaking to revise the penalty tiers “to better reflect the text of the HITECH Act.”

Phil Kim, an attorney with Haynes and Boone, said providers and health plans will likely welcome the change to a certain extent. He said it shows HHS recognizes that for covered entities and business associates trying to be compliant with HIPAA regulations, the notice of enforcement discretion reduces the level of inconsistency with respect to the HITECH Act’s structure for potential fines.

Kim also said the new fines establish a more specific ceiling that may clear up some of the confusion providers and health plans face with respect to civil money penalties; however, it remains to be seen how this will affect the OCR’s record-breaking HIPAA enforcement.

To read the full article, click here. (Subscription required)

Media Contacts
Related Practices