On April 30, 2019, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released the “Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties.”
This is a rarely-used procedural notice of reinterpretation or “discretion” used in modifying the existing interpretation of current law. When it is unlikely to legislate or repeal the law, this administration has used these methods to work-around reducing impacts of certain laws / provisions / codes, etc. In line with Trump administration position on policy re-interpretation of the law, HHS OCR has decreased the cap for HIPAA penalties. The table below will reflect that all amounts, aside from the cap of the first three tiers, are the same.
Violation Tiers | 2019 Penalty Per Violation | Old Cap 2013 – Pre Notice | New Cap Post Notice |
| No Knowledge That HIPAA was being violated | $100 minimum – $50,000 Maximum | $1.5 Million | $25,000 |
| Reasonable Cause Knew or should have known about the violation had reasonable due diligence been applied but falls short of willful negligence | $1000 minimum – $50,000 Maximum | $1.5 Million | $100,00 |
| Willful neglect – corrected | $10,000 – $50,000 Maximum | $1.5 Million | $250,000 |
| Willful neglect – not corrected or not within 30 days/timely | No change | $1.5 Million | $1.5 Million |
These changes come following a record-breaking enforcement year for the HHS OCR – with 10 settlements in 2018 totaling $23.5 million – Anthem Breach resulting in a $16 million settlement for failing to implement measures to prevent / detect hackers from gaining access to 79 million patient Protected Health Information (PHI).
HIPAA Penalties Decreases – Talking Points
Your HIPAA Privacy Officer will need to update any relevant HIPAA materials but this change is not significant enough to warrant retraining.
- In case you don’t know who your HIPAA Privacy Officer is or if you do not have one, appoint one and document this role via a job description.
- Anyone familiar with the compliance of your employee benefits plans may be a HIPAA Privacy officer but keep in mind this will be the contact should HHS contact your organization. So choose someone appropriate.
Such news may present to some as reason to further suspend or not recognize how important HIPAA compliance and resources are to their organization. As a result, one may want to consider how to think about / talk about this. This is how one may present the best practices viewpoint as the organization’s HIPAA Privacy Officer:
- Yes, the penalties are less. We want to be HIPAA compliant not because we care about fines, but because we are a high-integrity company that cares about the confidentiality of the employee, plan participant, client, individuals protected, and sensitive information. We’d want the same for ourselves & our families.
- HIPAA is not only the law but also best practices.
- This is not a reason to rejoice in what one could jump to as a reduced enforcement or that this will be “HIPAA is over forever!”
- This is a symbol of volatility in the regulatory world. That is dangerous. That means there will be conflicts in the law and interpretations leading to more legal challenges even.
- In such a volatile world it is important to zip up your HIPAA compliance while we can understand what is required through well-established regulations and existing interpretations. Also, refer back to the bullets above!
Action Required
No action needed on your part. Clients subject to HIPAA (e.g., self-funded plans and components of plans, such as some Health Savings Accounts (HSA), Flexible Spending Accounts (FSA), Health Reimbursement Arrangements (HRA), Medical Savings Accounts (MSA), Employee Assistance Programs (EAP) and wellness programs, should ensure they are HIPAA-compliant. Contact your Leavitt Group representative if you need assistance understanding how to be HIPAA-compliant. Let us help! We are your partner in compliance!
Dramatic cuts to penalties. Will this will result in greater complacency in an already insufficient privacy and security context? Hope not.
It is likely, which is why it is important to get ahead of the messaging – this is not a reason for complacency … it is a sign of volatility. Comply while it makes sense.