On April 30, 2019, the Department of Health and Human Services (HHS)'s Office for Civil Rights (OCR) issued notification that it is lowering the maximum total penalties it may assess against covered entities and business associates for multiple violations of HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (HIPAA Rules) in a single year.
The HITECH Penalty Scheme
Under the HIPAA Rules, Congress initially authorized HHS to impose a maximum Civil Money Penalty (CMP) of $100 for each violation, subject to a calendar year cap of $25,000 for all violations of an identical requirement or prohibition.
Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in February 2009 as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act strengthened HIPAA enforcement by increasing minimum and maximum penalties. It also established different categories of HIPAA violations, with increasing penalty tiers based on the level of culpability associated with the violation.
The HITECH Act provided four levels of culpability:
- Culpability Level One - "No Knowledge": The covered entity did not know (and by exercising reasonable diligence would not have known) that it was violating the HIPAA provision.
- Culpability Level Two - "Reasonable Cause": It is established that the HIPAA violation was due to reasonable cause and not willful neglect.
- Culpability Level Three - "Willful Neglect - Corrected": It is established that the violation was due to willful neglect and the violation was corrected within the 30-day period beginning on the first date the person liable for the penalty or damages knew, or by exercising reasonable diligence should have known, that the failure to comply occurred; and
- Culpability Level Four - "Willful Neglect - Not Corrected": It is established that the violation was due to willful neglect and the violation was not corrected within the 30-day period beginning on the first date the person liable for the penalty or damages knew, or by exercising reasonable diligence should have known, that the failure to comply occurred.
The Obama Administration's 2009 Interpretation
HHS issued an Interim Final Rule (IFR) in October 2009 to implement the enhanced penalty visions of the HITECH Act. However, the language of the Act led to differing interpretations of its penalty provisions. At the time of the 2009 IFR, HHS's view was that the HITECH Act's penalty provisions were conflicting because they allegedly referenced two levels of penalties for three of the four violation types. Despite the fact that the HITECH Act provided four different annual penalty caps, the IFR concluded that the "most logical reading" of the Act was to apply the highest annual cap of $1.5 million to all violation types. The IFR was adopted by HHS as a Final Rule (the "Enforcement Rule") without change to the penalty tiers and annual limits on January 25, 2013.
The Enforcement Rule's penalty matrix applied the same cumulative annual CMP limit across all four categories of violations based on the level of culpability, as set forth below.
Penalty Tiers Under HHS's 2009 Interpretation (the Enforcement Rule)
Level of Culpability |
Minimum penalty/violation |
Maximum penalty/violation |
Annual limit |
No Knowledge |
$100 |
$50,000 |
$1,500,000 |
Reasonable Cause |
$1,000 |
$50,000 |
$1,500,000 |
Willful Neglect - Corrected |
$10,000 |
$50,000 |
$1,500,000 |
Willful Neglect - Not Corrected |
$50,000 |
$50,000 |
$1,500,000 |
This interpretation maximized HHS's enforcement authority in order to further what it believed was Congress's intent to strengthen HIPAA enforcement, but in doing so, ultimately ignored the minimum annual caps provided in the HITECH Act entirely.
The Trump Administration's 2019 Reinterpretation
HHS will now apply a different cumulative annual CMP limit for each of the four penalty tiers, which it considers the better reading of the HITECH Act. These amounts will be adjusted for inflation and are set forth below.
Penalty Tiers Under HHS's April 2019 Reinterpretation
Level of Culpability |
Minimum penalty/violation |
Maximum penalty/violation |
Annual limit |
No Knowledge |
$100 |
$50,000 |
$25,000 |
Reasonable Cause |
$1,000 |
$50,000 |
$100,000 |
Willful Neglect - Corrected |
$10,000 |
$50,000 |
$250,000 |
Willful Neglect - Not Corrected |
$50,000 |
$50,000 |
$1,500,000 |
For now, this reinterpretation is only an exercise of OCR's enforcement discretion. However, the Trump Administration has made clear its plans to undertake future rulemaking in order to formalize the reinterpretation into a final rule. Such action would make it much more difficult for future administrations to move back to the prior, higher penalty enforcement matrix.
The lowering of annual CMP limits are certainly more favorable to covered entities and business associates, and more appropriately incentivize covered entities and business associates to act in ways that fall within the lower annual caps, such as taking additional steps to correct willful neglect in a timely manner. Covered entities and business associates should maintain evidence of lack of knowledge, reasonable cause, and timely corrections.
Covered entities and business associates should not take this reinterpretation as a sign that OCR is lessening HIPAA enforcement. OCR just wrapped up a record-breaking year for HIPAA financial enforcement and is showing no signs of slowing down.
Regardless, if you do find yourself working with OCR after a HIPAA breach incident as a covered entity of business associate, taking steps to show OCR that any violations that may have occurred were done without knowledge despite reasonable diligence may mean the difference between a $25,000 penalty cap versus $1.5 million.
Lynda Johnson and Timothy Ezell are both partners at Friday, Eldredge & Clark, LLP.
Amie K. Alexander is an associate. Visit fridayfirm.com.