The U.S. Department of Health and Human Services (?ã
HHS?ÃÂ¥) recently issued an interim final rule (the ?ã
HHS Rule?ÃÂ¥), which sets out inflation adjustments to the civil monetary penalty (?ã
CMP?ÃÂ¥) amounts that HHS is authorized to assess or enforce, including for violations of the HIPAA privacy and security rules. The HHS Rule was issued for compliance with the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, which was enacted on November 2, 2015 (the ?ã
2015 Act?ÃÂ¥). The 2015 Act requires federal agencies to (i) adjust the level of CMP amounts with an initial ?ãcatch up?ÃÂ¥ adjustment and (ii) make subsequent annual adjustments for inflation. The HIPAA CMP amounts had not been adjusted since 2009. Under the HHS Rule, HIPAA CMP amounts are increased by 10.2% for violations of the HIPAA privacy or security rules by a covered entity or a business associate, as follows:
| |
|
Prior $$ |
Adjusted $$ |
| Violations under a ?ãdid not know/would not have known?ÃÂ¥ standard |
Minimum:
Maximum:
Calendar
Year Cap: |
100
50,000
1,500,000 |
110
55,010
1,650,300 |
| Violations under a ?ãreasonable cause?ÃÂ¥ standard |
Minimum:
Maximum:
Calendar
Year Cap: |
1,000
50,000
1,500,000 |
1,100
55,010
1,650,300 |
| Violations under a ?ãwillful neglect?ÃÂ¥ standard, with timely correction |
Minimum:
Maximum:
Calendar
Year Cap: |
10,000
50,000
1,500,000 |
11,002
55,010
1,650,300 |
| Violations under a ?ãwillful neglect?ÃÂ¥ standard, with untimely correction |
Minimum:
Maximum:
Calendar
Year Cap: |
50,000
1,500,000
1,500,000 |
55,010
1,650,300
1,650,300 |
The increased CMP amounts are applicable to HIPAA violations occurring after November 2, 2015, for which CMPs are assessed after August 1, 2016.
The HHS Rule is available?á
here.