The Department of Health and Human Services (HHS) recently announced its decision to significantly reduce the maximum annual penalties it will impose on health care providers for violating the Health Insurance Portability and Accountability Act (HIPAA). HHS previously applied the same maximum penalty of $1,500,000 to all four tiers of culpability under the Health Information Technology and Clinical Health Act (HITECH). The four tiers of culpability are: (1) person did not know, and by exercising reasonable diligence, would not have known, that the person violated HIPAA; (2) the violation was due to reasonable cause, and not willful neglect; (3) the violation was due to willful neglect that is timely corrected; and (4) the violation was due to willful neglect that is not timely corrected.

HHS faced criticism for applying the $1,500,000 maximum to all four tiers of culpability, as referenced in its Notification of Enforcement Discretion Regarding HIPAA Violations. According to HHS Office of the General Counsel, the changes to the maximum annual penalties are a “better reading” of the HITECH Act.[1] HHS’ new interpretation of the HITECH Act sets the monetary penalties as follows: $25,000 for no knowledge, $100,000 for reasonable cause, $250,000 for corrected willful neglect, and $1,500,000 for uncorrected willful neglect.[2] HHS will use this new tiered structure, adjusted for inflation until further notice, and also expects to engage in future rulemaking to revise the penalty tiers “to better reflect the text of the HITECH Act.”[3]

In light of OCR’s all-time record of HIPAA enforcements in 2018, totaling $24.7 million in settlements, and HHS’ new penalty structure, covered entities should take proactive action to remain HIPAA compliant, create and update policies, and implement safeguards to prevent unauthorized access to protected health information.