By Lynda M. Johnson, Timothy C. Ezell and Amie K. Alexander
Published in Arkansas Medical News(September/October)
On April 30, 2019, the U.S. Department of Health and Human Services (HHS)’s Office for Civil Rights (OCR) issued notification that it is lowering the maximum total penalties it may assess against covered entities and business associates for multiple violations of HIPAA Privacy, Security, Breach Notification and Enforcement Rules in a single year.
The HITECH Penalty Scheme
Under these rules, Congress initially authorized HHS to impose a maximum Civil Money Penalty (CMP) of $100 for each violation, subject to a calendar year cap of $25,000 for all violations of an identical requirement or prohibition.
Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in February 2009 as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act strengthened HIPAA enforcement by increasing minimum and maximum penalties. It also established different categories of HIPAA violations, with increasing penalty tiers based on the level of culpability associated with the violation.
The HITECH Act provided four levels of culpability:
- Culpability Level One – “No Knowledge”: The covered entity did not know (and by exercising reasonable diligence would not have known) that it was violating the HIPAA provision.
- Culpability Level Two – “Reasonable Cause”: It is established that the HIPAA violation was due to reasonable cause and not willful neglect.
- Culpability Level Three – “Willful Neglect – Corrected”: It is established that the violation was due to willful neglect and the violation was corrected within the 30-day period beginning on the first date the person liable for the penalty or damages knew, or by exercising reasonable diligence should have known, that the failure to comply occurred; and
- Culpability Level Four – “Willful Neglect – Not Corrected”: It is established that the violation was due to willful neglect and the violation was not corrected within the 30-day period beginning on the first date the person liable for the penalty or damages knew, or by exercising reasonable diligence should have known, that the failure to comply occurred.
The Obama Administration’s 2009 Interpretation
HHS issued an Interim Final Rule (IFR) in October 2009 to implement the enhanced penalty visions of the HITECH Act. However, the language of the act led to differing interpretations of its penalty provisions. At the time of the 2009 IFR, HHS’s view was that the HITECH Act’s penalty provisions were conflicting because they allegedly referenced two levels of penalties for three of the four violation types. Despite the fact that the HITECH Act provided four different annual penalty caps, the IFR concluded that the “most logical reading” of the Act was to apply the highest annual cap of $1.5 million to all violation types. The IFR was adopted by HHS as a Final Rule, or Enforcement Rule, without change to the penalty tiers and annual limits on January 25, 2013.
The Enforcement Rule’s penalty matrix applied the same cumulative annual CMP limit across all four categories of violations based on the level of culpability, as set forth below.
Penalty Tiers Under HHS’s 2009 Interpretation (the Enforcement Rule)
Level of Culpability
|
Minimum penalty/violation
|
Maximum penalty/violation
|
Annual limit
|
No Knowledge
|
$100
|
$50,000
|
$1,500,000
|
Reasonable Cause
|
$1,000
|
$50,000
|
$1,500,000
|
Willful Neglect – Corrected
|
$10,000
|
$50,000
|
$1,500,000
|
Willful Neglect – Not Corrected
|
$50,000
|
$50,000
|
$1,500,000
|
This interpretation maximized HHS’s enforcement authority in order to further what it believed was Congress’s intent to strengthen HIPAA enforcement, but in doing so, ultimately ignored the minimum annual caps provided in the HITECH Act entirely.
The Trump Administration’s 2019 Reinterpretation
HHS will now apply a different cumulative annual CMP limit for each of the four penalty tiers, which it considers the better reading of the HITECH Act. These amounts will be adjusted for inflation, and are set forth below.
Penalty Tiers Under HHS’s April 2019 Reinterpretation
Level of Culpability
|
Minimum penalty/violation
|
Maximum penalty/violation
|
Annual limit
|
No Knowledge
|
$100
|
$50,000
|
$25,000
|
Reasonable Cause
|
$1,000
|
$50,000
|
$100,000
|
Willful Neglect – Corrected
|
$10,000
|
$50,000
|
$250,000
|
Willful Neglect – Not Corrected
|
$50,000
|
$50,000
|
$1,500,000
|
For now, this reinterpretation is only an exercise of OCR’s enforcement discretion. However, the Trump Administration has made clear its plans to undertake future rulemaking in order to formalize the reinterpretation into a final rule. Such action would make it much more difficult for future administrations to move back to the prior, higher penalty enforcement matrix.
The lowering of annual CMP limits are certainly more favorable to covered entities and business associates, and more appropriately incentivize covered entities and business associates to act in ways that fall within the lower annual caps, such as taking additional steps to correct willful neglect in a timely manner. Covered entities and business associates should maintain evidence of lack of knowledge, reasonable cause, and timely corrections.
Covered entities and business associates should not take this reinterpretation as a sign that OCR is lessening HIPAA enforcement. OCR just wrapped up a record-breaking year for HIPAA financial enforcement, and is showing no signs of slowing down.
Regardless, if you do find yourself working with OCR after a HIPAA breach incident as a covered entity of business associate, taking steps to show OCR that any violations that may have occurred were done without knowledge despite reasonable diligence may mean the difference between a $25,000 penalty cap versus $1.5 million.
Written by the attorneys in the Health Law Practice Group at Friday, Eldredge & Clark, LLP, this information is not a substitute for legal advice and should be considered for general guidance only. For more information or if you have further questions, please contact one of our Health Law Attorneys.
Lynda M. Johnson has practiced in the health law area since 1986, representing a wide variety of healthcare providers including hospitals, physicians, physician groups, nursing homes, and home health agencies. Recently, her practice has focused on the representation of hospitals and physicians in HIPAA compliance efforts and other areas of regulatory compliance. Her practice also includes issues involving Stark I and II and Anti-Kickback compliance, Medicare/Medicaid reimbursement, corporate compliance issues, physician and hospital organization issues, managed care, healthcare and hospital law, long-term care and home health.
Timothy Ezell practices primarily in the area of healthcare law, representing hospitals, physician groups and other medical service providers in various corporate and compliance matters. His experience covers matters relating to HIPAA, Stark, fraud and abuse, anti-kickback, EMTALA, Medicare reimbursement, compliance, joint ventures, provider sales and acquisitions, medical staff bylaws and credentialing issues.
Amie K. Alexander joined the firm after earning her law degree from the University of Arkansas at Little Rock William H. Bowen School of Law. Her practice is focused in the area of healthcare where she works primarily on various corporate and compliance matters. She drafts and reviews policies to ensure compliance with federal healthcare regulations such as HIPAA, Stark I and Stark II, Anti-Kickback and Medicare/Medicaid reimbursement.