HHS Reduces Penalties for HIPAA Violations; Distinguishes Based on Culpability

Sheppard Mullin Richter & Hampton LLP
Contact

Sheppard Mullin Richter & Hampton LLP

The U.S. Department of Health and Human Services recently published a Notice of Enforcement Discretion that markedly reduced HIPAA-related penalties. According to the Notice, effective immediately, HHS will change how it applies regulations concerning the assessment of Civil Money Penalties under HIPAA. Prior to issuance of the Notice, HHS regulations applied the same $1.5 million cumulative annual CMP limit across all categories of violations (which are based on the level of culpability of the violator). In other words, if a company found itself in violation of HIPAA, the penalties for which it would be responsible could be no more than $1.5 million per year regardless of the category of violation and regardless of the number of violations the company had committed.

Now, as a result of the Notice, the cumulative annual CMP limit is different depending on the category of violation (and, by extension, the level of culpability of the violator): (1) for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated HIPAA, the total annual limit is now $25,000; (2) for each violation due to reasonable cause and not to willful neglect, the total annual limit is now $100,000 per year; (3) for each violation due to willful neglect that is corrected within 30 days, the total annual limit is now $250,000; and (4) for each violation due to willful neglect that is not corrected within 30 days, the total annual limit remains $1.5 million.

Putting it Into Practice: According to HHS, forty percent (40%) of the cases where HHS has taken enforcement action to date have involved willful neglect that is not corrected, the category for which HHS has retained the $1.5 million annual cumulative CMP limit. While most will focus on the fact that this is a significant number of cases still subject to the maximum penalty of $1.5 million, it is also the case that for over half of cases to date, the maximum penalty level HHS could have imposed per year would have been less had those cases occurred after the Notice. HHS’s changes suggest that covered entities and business associates should do everything they can to ensure that their culpability levels for violations are low. The lower the culpability level of the violator, the lower the maximum penalty HHS will levy.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.