The Department of Health and Human Services Office for Civil Rights has decided to reduce the annual limit of civil penalties applied to HIPAA violations for three of the four penalty tiers.
The reduction is for the purpose of clearing up inconsistencies in the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, as per the notice of enforcement discretion. The penalty structures were implemented during a final interim rule in January 2013.
At that time, HHS decided that it was most logical to apply the same maximum penalty of $1.5 million annually for the four penalty tiers:
No knowledge that HIPAA was being violated
Willful neglect- corrected
Willful neglect, not corrected in a timely fashion
HHS defines the second tier of reasonable cause as an organization that either knew or should have known about the violation had they applied a reasonable amount of due diligence, but the violation fell short of willful negligence.
Changes to the caps apply to all tiers, except for willful neglect that has not been corrected.
The minimum penalty per violation,
$100 for the first tier
$1,000 for the second tier
$10,000 for the third tier
$50,000 for the fourth tier will remain the same, along with the maximum penalty per violation of $50,000 for all four tiers.
OCR Director Roger Severino said that after further reviewing the statute the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits as,
$25,000 for no knowledge
$100,000 for reasonable cause
$250,000 for corrected willful neglect
$1.5 million for uncorrected willful neglect
He added that this penalty tier structure, adjusted for inflation will be used by HHS until further notice. HHS expects to engage in future rule making to revise the penalty tiers in the current regulation to reflect the text of the HITECH Act in a much better way.