Until recently, the annual limit for civil monetary penalties (CMP) that could be levied against covered entities and business associates in violation of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations, as amended from time to time (collectively, HIPAA) was $1,500,000. On April 30, 2019, the U.S. Department of Health and Human Services (HHS) released a notice of enforcement discretion lowering the annual CMP caps for certain types of penalties imposed for violating HIPAA. Given 2018 was HHS’ all-time record year for HIPAA enforcement ($28.7 million in penalties collected), the new annual caps seemingly appear to provide relief to covered entities and business associates. The reduced annual caps certainly lower the financial risks for covered entities and business associates that have taken steps to meet HIPAA’s requirements.
However, covered entities and business associates should not get too excited because the reduction in the annual CMP caps are limited in many ways, including, as follows:
Only Apply to Identical Violations – the annual limit only applies to identical violations; if a HIPAA breach involves violations of different HIPAA provisions, the annual CMP cap would not apply. For example, as evidenced in the recent HIPAA settlement with Touchstone Medical Imaging, LLC (Touchstone) for $3,000,000 on May 6, 2019, most settlements and enforcement actions involve violations of more than one HIPAA provision.
In 2014, the Office of Civil Rights (OCR) opened an investigation after receiving a complaint alleging social security numbers of Touchstone’s patients were exposed online through an insecure file transfer protocol (FTP) web server. OCR discovered that Touchstone violated numerous provisions of HIPAA beyond the impermissible disclosure of the PHI of over 300,000 patients through the insecure FTP including, for example, the failure to: (i) implement technical policies and procedures to limit access to persons with rights to access the FTP server; (ii) enter into business associates agreements with its information technology vendors; and (iii) conduct an accurate and thorough risk assessment.
The recent Touchstone settlement highlights that although the decrease in the annual penalty caps for certain violations may provide some relief to covered entities and business associates, this relief is limited. Like in the Touchstone settlement for $3,000,000, HIPAA fines can add up very quickly because, more often than not, HIPAA breaches involve more than one HIPAA violation.
Apply on a Cumulative Basis – the annual limit for identical violations will apply on a cumulative basis if HIPAA violations occur over multiple years (e.g., five (5) separate HIPAA violations without knowledge occurring over a five (5) year period would result in a potential cumulative penalty of $625,000 ($25,000 * 5 HIPAA provisions * 5 years).
Subject to Inflation – the annual limits are subject to inflation with the last applied adjustment in 2018.
HHS intends to utilize this new tier structure until further notice and will engage in future rulemakings, which we will continue to monitor for future updates.
In summary, covered entities and business associates should curb their enthusiasm for the reduced HIPAA annual limits as HIPAA compliance efforts continue to be critical to avoid potentially hefty HIPAA fines.