[co-author: Austin Smith]

The Department of Health and Human Services Office for Civil Rights (OCR) today announced that it is lowering the maximum total penalties it may assess against covered entities and business associates for multiple violations of a single HIPAA provision in a single calendar year. Although OCR is likely to continue to vigorously enforce HIPAA, covered entities and business associates now have stronger incentives to demonstrate that any HIPAA violations they face were due to a lack of knowledge or to reasonable cause, as well as to take actions to correct any violations within 30 days. These steps may allow the entity to qualify for significantly lower annual caps on the penalties they face. Before today a covered entity or business associate could have faced up to $1.7 million in penalties in a single year for violations of the same HIPAA provision that it reasonably did not know about. Now that maximum is being lowered to $28,526 per year – a 6,000 percent decrease!

Overview

OCR’s decision stems from a re-interpretation of the Health Information Technology for Economic and Clinical Health (HITECH) Act’s unclear language about annual caps on continuing violations of the same HIPAA provision. The HITECH Act lays out a penalty scheme in which there are four levels of penalties and four levels of culpability. But for the first three levels of culpability, there is both a minimum penalty and corresponding annual cap, and a maximum penalty and corresponding annual cap. This led to confusion regarding whether the minimum annual cap applies or the maximum annual cap applies.

The Obama Administration took the position that all levels of culpability were subject to the highest annual limit to avoid what it perceived as illogical results (a single violation being able to exceed the annual cap) and to further what it believed was Congress’ intent to strengthen HIPAA enforcement. 

Today’s reinterpretation reverses that decision and applies lower annual limits to each tier of culpability (except the highest, which maintains the same limit). Although technically this is only an exercise of OCR’s enforcement discretion for now, it is very likely that this policy will be formalized into a rule—which would make it much harder to go back to the prior, higher penalty scheme in the future.

A Deeper Dive …

The confusion started in 2009 when the HITECH Act amended HIPAA’s penalty scheme, among other things. Under HIPAA as originally enacted in 1996, penalty calculations were simple: HHS was authorized to impose up to a $100 penalty for each violation of the law, up to a maximum of $25,000 per calendar year for all violations of an identical HIPAA provision. But the HITECH Act complicated things. First, it created a four-tier penalty system based on the culpability of violations:

(1) the covered entity or business associate, exercising reasonable diligence, did not know that it violated HIPAA;
(2) the violation was due to reasonable cause;
(3) the violation was due to willful neglect, but it was timely corrected within 30 days; or
(4) the violation was due to willful neglect and was not timely corrected.

Second, each tier also had its own minimum penalty and annual cap. The minimum penalty for each violation was set at $100; $1,000; $10,000; and $50,000. The corresponding annual cap for multiple violations of the same provision were $25,000, $100,000, $250,000, and $1.5 million.

Third, each of the first three tiers (lack of knowledge, reasonable cause, or timely correction) had a maximum penalty of $50,000 per violation, and an annual cap of $1.5 million for multiple violations of the same provision.

The problem is whether to apply the minimum annual cap, the maximum annual cap, or some combination of the two. For example, if a covered entity falls under the lower level of culpability – it did not know of the violation and through the exercise of reasonable diligence would not have known – then the range of penalties for each violation is a minimum of $100 and a maximum of $50,000. 

The question is whether the annual cap for multiple violations of the same provision is $25,000 or $1.5 million. If you apply the $25,000 annual cap, then you get the seemingly absurd result that the statute provides that a single violation can be penalized up to $50,000, but the annual cap is half that amount ($25,000). If you apply the $1.5 million cap, however, then you seemingly make the $25,000 cap meaningless. You also could try to apply them both, finding that violations that are assessed at the minimum ($100) are subject to a $25,000 cap, violations assessed at the maximum ($50,000) are subject to a $1.5 million cap, and violations that are assessed at an amount in between (e.g., $10,000) are subject to some annual cap in between the maximum and minimum (e.g., $300,601).

In 2009, OCR chose the second option above, only applying the maximum annual cap. Today’s changed interpretation gives greater relevance to the annual cap associated with each minimum penalty amount. This is consistent with the rule of statutory construction that each word in a statute should be given meaning, since the annual caps associated with the minimums are no longer ignored. But it creates the seemingly nonsensical result that a single violation of the lowest tier can be penalized up to $50,000, but the annual limit is half that amount. This is highlighted in the table below:

It is not clear why OCR determined that this change was necessary. OCR’s notification indicated that it further reviewed the prior decision and determined that this was the “better reading” of the statute. This reading is certainly friendlier to covered entities and business associates. It also arguably will better incentivize covered entities and business associates to act in ways that fall within the lower annual caps. But we caution against viewing this change as an indication that OCR is lessening HIPAA enforcement. OCR has highlighted that 2018 was a record-breaking year for HIPAA financial enforcement, recent statements have indicated that OCR is interested in greater enforcement with respect to failures to provide individuals access to their protected health information, and OCR has sent signals that future phases of the audit program are more likely to lead to compliance reviews and financial settlements or penalties.

The changed interpretation means that covered entities and business associates have a much stronger incentive to convince HHS that any violations they may have committed were done without their knowledge despite reasonable diligence. The new lower cap of $25,000 total per year for violations of an identical HIPAA provision with this low culpability is decidedly easier to swallow than the prior $1.5 million dollar annual limit. And even for the two middle tiers of culpability, annual maximums of $100,000 and $250,000, are still significantly below that prior limit as well. To qualify for these lower maximums, though, companies will need to be able to show that they were doing everything they reasonably could before, and acting as quickly as possible in response to, a violation. 

OCR also confirmed that the referenced amounts will be adjusted for inflation. For example, in 2018, the annual cap of $1.5 million was adjusted to $1,711,533. The same inflation adjustment would lead to annual caps of $28,526, $114,102, and $285,256 for the lower levels of culpability. The government has not yet released inflation updates for 2019 and on.

Of note, the annual caps can be applied cumulatively. For example, if an entity violated five HIPAA provisions over six years but reasonably did not know of the violations, then OCR can apply the $25,000 annual cap for each violation and each year, leading to total potential penalties of $750,000 ($25,000 for multiple violations of each HIPAA provision x 5 HIPAA provisions x 6 years).