On Friday, April 26, 2019, the U.S. Department of Health and Human Services (“HHS”) filed a Notice of Enforcement Decision (the “Notice of Enforcement”), confirming the agency’s reconsideration of its prior interpretation of the Health Information Technology for Economic and Clinical Health Act’s (the “HITECH Act’s”) penalty structure. In doing so, HHS announced the abandonment of a previous annual penalty cap that did not vary based on an entity’s level of culpability.

Effective immediately, the maximum penalty that the HHS Office for Civil Rights (“OCR”) will impose for a particular violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) that occur within a single calendar year has been generally, and significantly reduced. Except for violations that are due to a regulated entity’s willful neglect and have not been timely corrected (which maintain the annual penalty limit of $1.5 million), OCR will impose a lesser annual limit to violations that occur (a) without a regulated entity’s knowledge – and with reasonable diligence it would not have known about the violation; (b) due to reasonable cause and not willful neglect; and (c) due to willful neglect that is timely corrected.

The Notice of Enforcement does not mark the first occasion in which HHS acknowledged ambiguity under the HITECH Act’s tier-based penalty scheme. In 2013, HHS noted the existence of multiple possible legislative interpretations, ultimately issuing a final rule that applied the same cumulative annual limit ($1.5 million) across four violation categories, as illustrated in the chart below:

No Knowledge $100 $50,000 $1,500,000
Reasonable Cause $1,000 $50,000 $1,500,000
Willful Neglect–Corrected $10,000 $50,000 $1,500,000
Willful Neglect — Not Corrected $50,000 $50,000 $1,500,000

Under the Notice of Enforcement, HHS confirmed its determination that “the better reading” instead involves progressively applying annual limits in accordance with the following revised chart:

No Knowledge $100 $50,000 $25,000
Reasonable Cause $1,000 $50,000 $100,000
Willful Neglect–Corrected $10,000 $50,000 $250,000
Willful Neglect — Not Corrected $50,000 $50,000 $1,500,000

HHS confirmed that the agency will use the foregoing penalty tier structure, as adjusted for inflation, until further notice.

The revised penalty structure reinforces the notion that prospective HIPAA compliance efforts can have a significant monetary impact in terms of future enforcement.