On April 26, 2019, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties (the Notice) to inform the public that OCR will exercise its discretion in assessing Civil Money Penalties (CMPs) as set forth by Congress in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Current OCR regulations erroneously apply the same cumulative annual CMP limit of $1.5 million across the four categories of violations based on the level of culpability, despite the statute setting four different annual limits. The Notice states that, as a matter of enforcement discretion, OCR will now apply a different cumulative annual CMP limit for each of the four penalties tiers in the HITECH Act, as Congress set forth, and will engage in rulemaking to further address this issue. In this article, we summarize the Notice and analyze its implications for HIPAA-covered entities and business associates.
Annual CMP Caps Prior to the Notification of Enforcement Discretion
When enacting the HIPAA administrative simplification provisions, Congress authorized the Secretary of HHS or his designee to impose a maximum CMP of $100 for each violation, subject to a calendar year cap of $25,000 for all violations of an identical requirement or prohibition. In response, OCR issued a HIPAA enforcement final rule on February 16, 2006, which, among other things, incorporated penalties consistent with the $100 per violation cap and $25,000 annual cap under the statute. The HITECH Act, enacted in February 2009, increased the minimum and maximum potential CMPs for HIPAA violations. Specifically, Section 13410(d) of the HITECH Act established four categories for HIPAA violations, with increasing penalty tiers based on the level of culpability associated with the violation:
- Person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
- Violation was due to reasonable cause, and not willful neglect;
- Violation was due to willful neglect that is timely corrected; and
- Violation was due to willful neglect that is not timely corrected.
The penalty amounts under the HITECH Act corresponding to each culpability level or violation type above are as follows:
- $100 per violation, with a cap of $25,000 on violations of an identical requirement or prohibition during a calendar year (42 U.S.C. 1320d- 5(a)(3)(A));
- $1,000 per violation, with a cap of $100,000 on violations of an identical requirement or prohibition during a calendar year (42 U.S.C. 1320d-5(a)(3)(B));
- $10,000 per violation, with a cap of $250,000 on violations of an identical requirement or prohibition during a calendar year (42 U.S.C. 1320d-5(a)(3)(C)); and
- $50,000 per violation, with a cap of $1,500,000 on violations of an identical requirement or prohibition during a calendar year (42 U.S.C. 1320d-5(a)(3)(D)).
Given that OCR has chosen to assess ongoing or repeated HIPAA violations (e.g., failure to conduct an accurate and thorough risk analysis) as one violation per day (365 days per year), these calendar year caps are highly relevant restrictions.
On October 30, 2009, OCR issued an interim final rule (IFR) to implement the enhanced penalty provisions of the HITECH Act. At the time, OCR took the view that the HITECH Act’s penalty provisions were “conflicting” because they referenced two levels of penalties for three of the four violation types. Despite the fact that the HITECH Act provided four different annual penalty caps, the IFR concluded that “the most logical reading” of the law was to apply the highest annual cap of $1.5 million to all violation types, stating that this was “consistent with Congress’ intent to strengthen enforcement.”
On January 25, 2013, OCR adopted the text of the IFR as a final rule (Enforcement Rule) without change to the penalty tiers and annual limits. OCR noted in the preamble that, “[i]n adopting the HITECH Act’s penalty scheme, the Department recognized that section 13410(d) contained apparently inconsistent language (i.e., its reference to two penalty tiers ‘for each violation,’ each of which provided a penalty amount ‘for all such violations’ of an identical requirement or prohibition in a calendar year). To resolve this inconsistency, with the exception of violations due to willful neglect that are not timely corrected, the IFR adopted a range of penalty amounts between the minimum given in one tier and the maximum given in the second tier for each violation and adopted the amount of $1.5 million as the limit for all violations of an identical provision of the HIPAA rules in a calendar year.” See 78 FR 5566, 5582 (Jan. 25, 2013).
Commenters responded to the Enforcement Rule by expressing concern about the $1.5 million cap for all penalty tiers, arguing that because the outside limits were the same for all culpability categories, the Enforcement Rule “ignored the outside limits set forth by the HITECH Act within the lower penalty tiers, rendering those limits meaningless.” 78 FR at 5583. In responding to these comments, OCR stated that it continued to believe “that the penalty amounts are appropriate and reflect the most logical reading of the HITECH Act, which provides the Secretary with discretion to impose penalties for each category of culpability up to the maximum amount described in the highest penalty tier.” Id. As a result, the Enforcement Rule applies an annual upper limit of $1.5 million for each of the four culpability tiers, as shown below:
Changes under the Notification of Enforcement Discretion
As set forth in the Notice, upon further review of the statute by the HHS Office of the General Counsel, OCR has determined that the better reading of the HITECH Act is to apply annual limits follows, as they are set forth in the statute itself:
OCR has announced that it will use this penalty tier structure, as adjusted for inflation, until further notice. OCR expects to engage in future rulemaking to revise the penalty tiers in the current regulation to “better reflect the text of the HITECH Act.” Among other things, the rulemaking may clarify how OCR will reconcile the discrepancy between the new $25,000 annual limit for identical violations in the first tier, which is half of the $50,000 maximum penalty per violation for this same tier.
Since the passage of the Enforcement Rule, we have seen numerous multi-million dollar settlements CMPs imposed for alleged HIPAA violations. For example, in 2016, an Illinois health care system agreed to pay $5.55 million settle allegations that it violated HIPAA. At the time, the settlement was the biggest CMP involving a single entity. At the end of 2018, a major health insurance payor agreed to pay $16 million to settle alleged HIPAA violations.
OCR’s revised enforcement approach may mean lower penalties for Covered Entities and Business Associates that have taken measures to comply with HIPAA. Because OCR’s budget for enforcement is derived from its recoveries, the lower penalties may also mean that OCR has fewer resources to pursue claims against Covered Entities and Business Associates.
This correction is likely to be particularly galling for entities that have been assessed CMPs for HIPAA violations in the past. For example, a children’s hospital in Texas was assessed a $3,217,000 HIPAA penalty in 2017 based entirely on “Tier II” (i.e., reasonable cause level) violations, of which $2,410,000 (75%) was directly attributable to OCR’s prior misinterpretation of the HITECH Act. Now, OCR would impose just over $800,000 in penalties on the very same factual findings and legal conclusions.
The same is true to a large extent for many of the nearly 60 entities that have settled alleged HIPAA violation findings with OCR to avoid the imposition of CMPs. Each time we have negotiated such a settlement with OCR, OCR has used the prior (erroneous) version of the CMP caps to threaten excessive penalties against our clients if settlement could not be reached. We have argued this very issue of statutory fidelity (and void contrary regulations) to OCR each time, but it fell on deaf ears with OCR stating that it is required to follow its own regulations.
Markedly, the Notice comes on the heels of two actions that were recently filed by University of Texas MD Anderson Cancer Center against OCR: (1) a petition in the US Court of Appeals for the Fifth Circuit for review of the HHS Departmental Appeals Board Decision to impose CMPs on MD Anderson, and (2) a complaint for declaratory and injunctive relief filed in the US District Court for the Southern District of Texas. In 2018, MD Anderson experienced a breach involving the electronic protected health information of 34,883 patients. OCR subsequently investigated and alleged MD Anderson violated HIPAA and its implementing regulations by failing to use encryption, imposing a $4.348 million penalty for the alleged violations. MD Anderson is arguing that the penalty exceeds the maximum CMP for a HIPAA violation under the reasonable cause penalty tier, and further, that the penalty is in breach of the Eighth Amendment to the United States Constitution.
At an International Association of Privacy Professionals Global Privacy Summit session last week, Timothy Noonan, OCR’s Acting Deputy Director for Health Information Privacy, explained that OCR issued the Notice as a result of HHS’ department-wide regulatory reform efforts that involve the reexamination of each HHS agency’s activities in light of its respective statutory authorities.
It remains to be seen whether OCR will adjust its approach to pursuing enforcement actions or negotiating settlements in order to maximize its collections under the corrected penalty tier structure. For instance, OCR could prioritize cases involving alleged violations that fall within the “willful neglect—not corrected” level of culpability, for which the annual cap for identical violations remains $1.5 million. It is further possible that going forward, OCR will resolve a larger percentage of its investigations through enforcement actions as opposed to providing technical assistance or taking other corrective actions that do not involve monetary payments by a covered entities or business associates. In addition, OCR may begin demanding monetary settlement amounts that reflect higher percentages of the maximum potential CMPs that can be assessed against entities.
It will also be interesting to see whether OCR makes any effort to make this correction retroactive—but we are not holding our breath. We will continue to monitor further updates regarding OCR’s new, corrected interpretation of the HITECH Act and annual CMP limits, including further rulemaking on this topic.