Phil Kim in HCPro: OCR Lowers Fines for HIPAA Violations: What You Need to Know

June 25, 2019

HCPro talked with Haynes and Boone, LLP Associate Phil Kim about the U.S. Department of Health & Human Services’ (HHS’s) decision to reassess its regulations in lowering fines for Health Insurance Portability and Accountability Act (HIPAA) violations.

Here is an excerpt:

On April 30, HHS issued a notification of enforcement discretion regarding HIPAA civil money penalties in the Federal Register, indicating that the department will impose lower maximum annual caps on financial penalties for all but the most severe HIPAA violations.

“The Notification of Enforcement Discretion shows that HHS recognizes that there are covered entities (CE) and business associates (BA) who are trying to be compliant with HIPAA and the HITECH Act in that the notification reduces the level of inconsistency in the potential for fines,” says Phil Kim, attorney at Haynes and Boone, LLP in Dallas.

Though only the lawmakers can speak directly to the reasoning behind the change and why it’s happening now, Kim explains that the confusion surrounding these penalty caps goes back several years. The HITECH Act introduced what was supposed to be a tiered system, but it wasn’t clear why it had tiered levels of culpability but not tiered upper limits, says Kim. With the minimum penalties clearly staggered but the annual limit much higher, confusion was understandable. The new reading of the HITECH Act in this notification will help establish more specific ceilings with respect to fines.

With the new system, so long as there is no knowledge of willful neglect, the tiered fine interpretation will be more navigable for a lot of businesses, says Kim. If a CE or BA is subject to a CMP, its risk for liability will be reasonably limited—so long as it doesn’t engage in the fourth tier, he adds.

To read the full article, click here. (Subscription required)