In a dramatic turn, the US Department of Health and Human Services (HHS) has announced that effective immediately, penalties for many HIPAA violations will be subject to substantially reduced limits. After a record year of collecting high-dollar settlements, the agency has pulled back and tied its own hands through a Notification of Enforcement Discretion that will likely result in lower penalties and settlement agreement amounts.

Background on HHS’s Enforcement Authority

Under the HITECH Act of February 2009, Congress strengthened HHS’s HIPAA enforcement authority by authorizing increased minimum and maximum potential Civil Monetary Penalties (CMPs) for HIPAA violations. The HITECH Act established four culpability tiers for HIPAA violations:

(1) the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;

(2) the violation was due to reasonable cause, and not willful neglect;

(3) the violation was due to willful neglect that is timely corrected; and

(4) the violation was due to willful neglect that is not timely corrected.

The HITECH Act tied increased penalties to the level of culpability associated with a violation. In interpreting the HITECH Act enforcement provisions, however, the Department identified inconsistencies in the descriptions of penalty ranges and, while promulgating an updated Enforcement Rule in 2009, stated a position that the HITECH Act provided the Secretary with discretion to impose penalties up to the maximum amount described in the highest penalty tier for each culpability level. Thus, prior to this recent exercise of “enforcement discretion” the Department interpreted the HITECH Act to allow an annual limit of $1.5 million per HIPAA violation per year, regardless of the level of culpability.

HHS’s New Interpretation

The Notification of Enforcement Discretion states that upon further review, HHS has determined that a “better reading” of the HITECH Act is to apply tiered annual limits, ranging from $25,000 to $1.5 million, depending on the level of culpability. In light of this new determination, and as a matter of its enforcement discretion, HHS is announcing revised annual CMP limits for HIPAA violations with the expectation to codify the new interpretation as part of a future rulemaking process. HHS will use this new penalty tier structure going forward for all HIPAA enforcement actions with adjustments for inflation:

This change in the agency’s interpretation of the HITECH Act and its exercise of enforcement discretion comes as MD Anderson Cancer Center in Texas is asking the Fifth Circuit to overturn a ruling by an HHS administrative law judge upholding a $4.3 million HIPAA penalty. MD Anderson is also challenging HHS’s authority to impose the CMP in a suit filed against the HHS Secretary in federal district court. Among other arguments, MD Anderson asserts that the Secretary exceeded his authority by imposing a CMP beyond the statutory caps. MD Anderson argued in its complaint that under the statute, “Reasonable Cause” violations OCR alleged in the case must be capped at $100,000 per violation per year and that the Secretary erroneously imposed the highest level penalty cap of $1.5 million, which renders the culpability-specific caps in the law meaningless “in violation of basic statutory construction principles.” HHS’s newly revised interpretation of the annual cap for a “Reasonable Cause” violation to $100,000 aligns with MD Anderson’s position. OCR Director Roger Severino told reporters Friday that the announcement is not connected with the ongoing MD Anderson cases.

Potential Further Focus on Culpability

The significantly reduced annual limits for HIPAA violations—other than those due to uncorrected willful neglect—will likely bring into focus levels of culpability in the enforcement process. Under the Department’s prior interpretation, which allowed for a $1.5 million maximum penalty regardless of culpability tier, the Department could threaten significant CMPs in its investigations regardless of the level of culpability of the organization. A renewed focus on culpability provides incentives for covered entities and business associates to demonstrate good faith compliance efforts, so that any enforcement action would be subject only to the lower penalty tiers. In fact, under the new framework, organizations have significant financial incentives to correct potential “Willful Neglect” violations in a timely manner, to avoid the penalties associated with the highest tier.

If the Department’s historical approach to enforcement is any indication, this shift is likely to result in lower penalties or at least fewer large enforcement actions of the type we have seen in recent years. The Department previously touted 2018 as an “all-time record year for HIPAA enforcement” measured by $28.7 million in penalties collected. Under the new penalty structure, many of the enforcement actions of previous years likely would have been lower. Director Severino stated Friday that close to 40% of enforcement actions to date have included at least one count of uncorrected willful neglect for which the annual penalty tier is not changing. That means that more than half of enforcement actions did not include any alleged violations at the highest penalty tier; in fact, the CMPs that OCR has imposed for HIPAA violations in recent years have included only “Reasonable Cause” allegations, including in MD Anderson (settlements do not publish detailed culpability tiers for alleged violations).

The Department’s announcement has significant implications for current and future HIPAA enforcement actions that we will continue to monitor.