HHS Announces Reduced Annual Limits on Civil Money Penalties for Most HIPAA Violations

The Department of Health and Human Services (“HHS”) recently issued a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties (“CMPs”) in which it lowered the maximum annual fines that can be assessed against covered entities and business associates under the Health Insurance Portability and Accountability Act (“HIPAA”) for lower-level categories of violations. The annual limit for violations due to uncorrected willful neglect remains the same, at $1.5 million, while the limits for the other levels of violations were lowered, as shown in the table below.

Because most HIPAA enforcement actions are settled, and fines occur only in a minority of instances, it is unclear what the practical impact of these lowered penalties will be. That said, in light of the record-breaking year that HHS had in 2018, with HIPAA settlements totaling more than $28 million, this is good news for businesses subject to HIPAA. In the event they are subject to a CMP, their risk of liability will be reasonably limited, provided that they do not engage in uncorrected willful neglect. And even when a CMP is not imposed, this announcement reinforces HHS’ position that it will take culpability into account in its enforcement actions. 

There are currently four categories for HIPAA violations, with increasing penalty tiers based on the level of culpability associated with the violation:

1. the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
2. the violation was due to reasonable cause, and not willful neglect;
3. the violation was due to willful neglect that is timely corrected; and
4. the violation was due to willful neglect that is not timely corrected.

HHS is planning to use this tier structure “until further notice,” but it does plan to engage in future rulemakings on this issue.