New Annual HIPAA Penalty Tiers

Six months after imposing the largest ever HIPAA fine ($16 million) following a HIPAA data breach, the U.S. Department of Health & Human Services’ Office for Civil Rights (“OCR”) has announced that it is exercising its enforcement discretion to lower maximum annual HIPAA penalties.

Under the 2009 HITECH Act, Congress established four categories of HIPAA violations with increasing levels of culpability. The four tiers are where:

(1) the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;

(2) the violation was due to reasonable cause, and not willful neglect;

(3) the violation was due to willful neglect that is timely corrected; and

(4) the violation was due to willful neglect that is not timely corrected.

OCR guidance issued last week changed the Department’s historical position that the maximum penalty for violations of an identical HIPAA provision for each of the four types of violations is $1.5 million per year. While OCR retains the $50,000 maximum per-violation penalty across all tiers, its new guidance adopts graduated annual limitations for violations of the same requirement, which lower the annual limitations for all but the most serious violations. Under the Department’s new guidance, “no knowledge” violations may result in an annual penalty of up to $25,000, “reasonable cause” up to $100,000, willful neglect that is corrected up to $250,000, and willful neglect that is not corrected up to $1.5 million.

Guidance on Mobile Apps Chosen by Patients

OCR Frequently Asked Questions (“FAQ”) released earlier this month clarify the circumstances in which covered entities (e.g., healthcare providers) will and will not be held liable for third-party applications’ (“apps’”) uses and disclosures of protected health information (“PHI”). See OCR HIPAA Guidance/FAQ:; see also Additional HHS Guidance,

The FAQs clarify that whether a covered entity bears liability for an app’s use or disclosure of PHI depends on whether the app is chosen by the patient, and whether the PHI was provided to an app developed by, or provided by or on behalf of, the covered entity. If the app is chosen by the individual to receive his or her PHI, and the app is not provided by or on behalf of the covered entity, the covered entity is not liable for subsequent use or disclosure of the requested PHI by the app. Conversely, if the app is developed for, or provided by or on behalf of, the covered entity, the covered entity may be liable for disclosures or uses of the ePHI by the app. HHS further explains that, if a provider uses an application programming interface (“API”) to connect to an app designated by a patient, the API must comply with applicable HIPAA requirements. An additional FAQ explains that covered entities generally may not refuse to disclose ePHI to a third-party app of the patient’s choosing and underscores that the HIPAA does not govern how such apps can use information that has been disclosed to them pursuant to patients’ exercise of their rights to access their own PHI. See Refusing to disclose ePHI Guidance,