HIPAA: New HIPAA Penalties System Rewards Labs that Try to Comply
From - National Intelligence Report New HHS rules significantly increase the amount of money your lab can save by making diligent and demonstrable efforts to prevent HIPAA violations even when… . . . read more
New HHS rules significantly increase the amount of money your lab can save by making diligent and demonstrable efforts to prevent HIPAA violations even when those efforts don’t succeed. We’re referring to the new HHS system of basing maximum HIPAA penalties on “level of culpability” set out by the agency in its April 26 Notification of Enforcement Discretion (Notice). Here’s the low down.
How HIPAA Penalties Are Determined
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) establishes a four-tier system for determining minimum and maximum civil monetary penalties (CMP) for HIPAA violations. The tiers range by severity, as illustrated by Table 1:
| Table 1. The Old 4-Tier HIPAA Penalties System | ||
| Tier | Description | CMP Range |
| 1 | Violator didn’t know and wouldn’t have known through the exercise of reasonable diligence of HIPAA violation | $100 per violation up to maximum of $25,000 per calendar year |
| 2 | Violation due to reasonable cause, not willful neglect | $1,000 per violation up to maximum of $100,000 per calendar year |
| 3 | Violation due to willful neglect that’s timely corrected | $10,000 per violation up to maximum of $250,000 per calendar year |
| 4 | Violation due to willful neglect that’s not timely corrected | $50,000 per violation up to maximum of $1,500,000 per calendar year |
When it implemented the HITECH Act back in 2013, however, HHS viewed the penalty provisions as “conflicting” and decided that the highest annual cap of $1.5 million under tier 4 should apply to every tier. Despite criticism, HHS held the line and insisted “that the penalty amounts are appropriate and reflect the most logical reading of the HITECH Act.”
The New ‘Level of Culpability’ System
It took nearly five years, but HHS has finally seen the light. In the Notice, HHS announced that it’s changed its position and will now follow the original intent of the HITECH Act by basing the potential range of penalties on the violator’s level of culpability and efforts to comply. Table 2 summarizes the new “level of culpability” system.
| Table 2. The New “Level of Culpability” HIPAA Penalties System | |||
| Tier | Minimum CMP per Violation | Maximum CMP per Violation | Maximum CMP per Calendar Year |
| No Knowledge | $100 | $50,000 | $25,000 |
| Reasonable Cause | $1,000 | $50,000 | $100,000 |
| Willful Neglect-Corrected | $10,000 | $50,000 | $250,000 |
| Willful Neglect—Not Corrected | $50,000 per violation | NA | $1,500,000 |
The penalties will be adjusted for inflation.
Takeaway: Labs best take heed of the new penalty rules, especially considering that 2018 was a record year for HIPAA enforcements, with HHS collecting an all-time high of $28.7 million in penalties from HIPAA-covered entities and their business associates. The good news is that in the future, HIPAA penalties should be much less robotic and labs will, rightly, earn consideration for the efforts they make to implement systems to ensure the privacy and security of PHI and prevent HIPAA violations.
Subscribe to view Essential
Start a Free Trial for immediate access to this article