HIPAA penalties vary depending on the type of conduct involved. (45 CFR § 160.404). Under HHS's prior interpretation, the types of violations were all subject to an annual maximum penalty of $1,500,000 for identical types of violations. (Id.).
On April 30, 2019, HHS exercised its discretion to lower the annual cap for certain types of penalties as set forth in the following chart:
The penalty amounts are subject to annual cost of living adjustments. (45 CFR §§ 102 and 160.404(a); see 83 FR 51378).Before you get too excited about the reduced annual cap, you should remember the following:
- The new annual caps only apply to identical violations. A single act or omission may result in different violations that are not identical. For example, an impermissible disclosure may violate separate HIPAA requirements, each of which may trigger a different penalty and separate annual cap. (45 CFR § 160.406). Also, the Office for Civil Rights (“OCR”) may impose a separate penalty for each individual whose information was improperly accessed or disclosed. (71 FR 8404-07). In the case of a continuing violation (e.g., the failure to implement a required safeguard or obtain a required business associate agreement), a separate violation occurs each day the covered entity or business associate is in violation of the provision. (45 CFR § 160.406).
- If an entity does not act with willful neglect and corrects the violation within 30 days after the covered entity or business associate knew, or by exercising reasonable diligence, would have known of the violation, the OCR may not impose a penalty; such correction is an affirmative defense to penalties. (45 CFR § 160.410(c)). On the other hand, if the entity acts with willful neglect, the relevant penalty is mandatory. (45 CFR § 160.404(b)(iii)-(iv); 75 FR 40876).
- A covered entity or business associate is vicariously liable for the violations of their respective agents, including workforce members or business associates acting within the scope of their agency under the federal common law of agency. (45 CFR § 160.402(c)).
In short, HIPAA penalties may add up quickly despite the reduced annual cap on identical types of violations. Covered entities and business associates must ensure that they continue to comply with HIPAA, avoid acting with “willful neglect” at all costs, and correct any violations within 30 days to invoke the affirmative defense to penalties.