As we reported here and here, the U.S. Department of Health and Human Services (“HHS”) recently issued final regulations (the “Omnibus Final Rule”) implementing changes to HIPAA mandated by the HITECH Act. The long awaited Omnibus Final Rule greatly increased the potential penalties for violations of the HIPAA privacy, security and data breach notification rules. Most of the law’s provisions take effect March 26, 2013.
The Omnibus Final Rule provides for varying penalties for violations, depending on the degree of care exercised by the covered entity or business associate.
Once a violation has been established, the Office of Civil Rights of the U.S. Department of Health and Human Services (the “OCR”) classifies the violation into one of four tiers, based on the knowledge and intent of the respondent:
- Violations that were not known to the covered entity or business associate, and could not have been known even with the exercise of ordinary care and prudence (subject to a minimum penalty of $100 and a maximum of $50,000 per violation);
- Violations that were known or should have been known, but were not the result of willful neglect or could not have been avoided with the exercise of ordinary care and prudence (subject to a minimum penalty of $1,000 and a maximum of $50,000 per violation);
- Violations that were the result of willful neglect and that are promptly corrected (subject to a minimum penalty of $10,000 and a maximum of $50,000 per violation); or
- Violations that were the result of willful neglect and that are not promptly corrected (this mandates the highest level of penalty of a minimum of $50,000 per violation).
Under the Omnibus Final Rule, even a low-level violation could, in theory, generate a penalty of $50,000. While each of the first three tiers has a range of per-violation penalties capped at $50,000, the highest tier has no maximum, subject to the annual cap for violations of the same provision. For all tiers, the annual penalties associated with multiple violations of any one requirement are capped at $1.5 million.
Significantly, OCR takes the position that many kinds of violations are subject to recurring or daily penalties. For example, a failure to produce medical records requested by one individual could be subject to a daily penalty. Also, a violation that impacts a large number of individuals, such as a violation of the security rule that results in a large data breach, could be treated as a violation for each individual. Thus, a willful violation that persists for an entire year or that impacts thousands of people could potentially result in penalties that reach the annual cap. While the penalty for a multiple violations of a single standard is subject to an annual cap, one “event” could involve violations of multiple standards. In short, there are numerous circumstances under which penalties can add up to substantial amounts, and the penalty “tier” applied to a violation could be very important. On the other hand, as long as a violation is not associated with “willful neglect,” the penalty can be waived entirely by OCR. OCR’s authority to waive such penalties could be significant in cases of multiple violations involving many individuals or an extended period of time.
Unknown and Unknowable Violations
The lowest tier of penalties, starting at $100 per violation, arises if the respondent did not know about the violation, and could not have known about it even with the exercise of reasonable prudence or care. While one might argue that an unknown and possibly even “unknowable” violation should not result in a penalty, we note that OCR has the discretion to either waive or impose a penalty under these circumstances.
Violations Due to Reasonable Cause
The middle level of penalties, starting at $1,000 per violation, arises when the respondent can demonstrate that the violation resulted because the respondent was prevented from complying with the rule by “reasonable cause” or that the violation did not arise from “willful neglect.”
Under the Omnibus Final Rule, “reasonable cause” means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. “Reasonable diligence” means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. Willful neglect, on the other hand, is defined as a conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. By definition, a violation involving reasonable cause cannot be the result of willful neglect.
Thus, it appears that the middle tier of penalties will apply to cases in which a respondent failed to exercise “reasonable diligence” to discover or correct its violations, but did not act with willful neglect. OCR has clarified that if circumstances prevented an entity from complying with the rule even though it exercised ordinary business care and prudence, then those circumstances will also fall within the definition of “reasonable cause.” A violation under these circumstances would be subject to the second tier of penalties. OCR can elect to waive penalties arising from reasonable cause.
Violations Due to Willful Neglect
Violations resulting from willful neglect, defined to mean the conscious, intentional failure or reckless indifference to the obligation to comply with the regulations, will trigger the highest levels of penalties. If a violation resulting from willful neglect is promptly corrected, the minimum penalty amount is $10,000; otherwise, the minimum penalty for a violation resulting from willful neglect is $50,000 per violation. Multiple willful violations or violations of multiple standards arising from one event can multiply the penalties, and the amount of penalties can become significant. Penalties arising from willful neglect cannot be waived.
The following chart summarizes the penalty tiers, caps, and OCR’s waiver authority.
Categories of Violations, Penalty Ranges, and Caps
Click here to view table.
Mitigating and Aggravating Factors
Despite the tiers of prescribed minimum and maximum penalties described above, under the Omnibus Final Rule the Secretary of Health and Human Services retains discretion in setting penalties and, in some cases, waiving civil monetary penalties. The rule lists the following as “general factors” to be considered by the Secretary:
- The nature and extent of the violation;
- The nature and extent of the harm, including reputational harm;
- The history of prior compliance with the administrative simplification provision, including violations by the covered entity or business associate;
- The financial condition of the covered entity or business associate (which may be taken into account in accessing the entity’s ability to comply with a particular requirement); and
- Such other matters as justice may require.
Significantly, each of these factors could either be mitigating, to reduce a penalty, or aggravating, to increase the penalty.
Reducing Your Exposure to Penalties
Obviously covered entities and business associates want to avoid even the appearance of “willful neglect.” Accidents, malicious acts by outsiders, or ordinary human error can lead to a privacy violation, a security incident, or a data breach in any organization. A robust HIPAA compliance program that demonstrates awareness of and a commitment to comply with HIPAA regulations is a worthwhile investment to demonstrate that a violation, incident or breach did not result from willful neglect, but rather occurred in spite of the reasonable, prudent precautions taken by the covered entity or business associate. Indeed, for standards in the security rule that are premised on “reasonable and appropriate” safeguards, a robust compliance program can be used to establish compliance even after a privacy violation or security incident occurs.