When the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 became law, it made significant changes to the civil monetary penalties for violations of HIPAA. In addition to increasing the amounts of the penalties, HITECH created a tiered approach to penalties, establishing four categories based on levels of culpability. In addition, current HHS regulations apply the same cumulative annual penalty limit across these four categories. Today, the Department of Health and Human Services (HHS) issued a notification of enforcement discretion changing its interpretation of HITECH resulting in a reduction in the amount of the cumulative annual penalty limit for three of the four categories.
What Are The Four Categories Again?
Section 13410(d) of the HITECH Act established four categories for HIPAA violations:
- No knowledge. The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
- Reasonable Cause. The violation was due to reasonable cause, and not willful neglect;
- Willful Neglect – Corrected. The violation was due to willful neglect that is timely corrected (30 days); and
- Willful Neglect – Not Corrected. The violation was due to willful neglect that is not timely corrected.
What Was The Old Range of Penalties?
The range of penalties for the four categories above was as follows:
Category | Minimum Penalty | Maximum Penalty | Annual Limit |
No Knowledge | $100 | $50,000 | $1,500,000 |
Reasonable Cause | $1,000 | $50,000 | $1,500,000 |
Willful Neglect – Corrected | $10,000 | $50,000 | $1,500,000 |
Willful Neglect – Not Corrected | $50,000 | $50,000 | $1,500,000 |
What Is The New Range of Penalties?
Commenters noted to HHS that above structure was not consistent with HITECH’s tiered approach to penalties; that is, establishing categories based on culpability. This is because the annual limits were the same for all levels of culpability. Upon further review by HHS’ Office of the General Counsel, HHS has determined that the better reading of HITECH is to apply annual limits as shown below.
Category | Minimum Penalty | Maximum Penalty | Annual Limit |
No Knowledge | $100 | $50,000 | $25,000 |
Reasonable Cause | $1,000 | $50,000 | $100,000 |
Willful Neglect – Corrected | $10,000 | $50,000 | $250,000 |
Willful Neglect – Not Corrected | $50,000 | $50,000 | $1,500,000 |
According to the guidance, while HHS expects to engage in future rulemaking to revise the penalty tiers in the current regulation to better reflect the text of HITECH, these changes are effective until further notice.