OCR Reduces Maximum CMPs for HIPAA Violations.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently published a notice of enforcement discretion that modifies the maximum annual civil monetary penalties (CMPs) applied to Health Insurance Portability and Accountability Act (HIPAA) of 1996 violations.

In the notice, HHS indicates that based upon a re-evaluation of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, it will apply a maximum annual limit on CMP penalties based on culpability level, as represented by four tiers of HIPAA violations.  Previously, HHS applied a $1.5 million annual maximum limit for all violations, regardless of the level of culpability.  The notice updates the maximum amount of annual penalties for all tiers except the most severe tier, “willful neglect that has not been corrected.”

New OCR HIPAA Breach Penalty CMP Structure

HHS will use the following maximum annual CMP penalty tier structure, adjusted for inflation, going forward:

• $25,000 for no knowledge;
• $100,000 for reasonable cause;
• $250,000 for corrected willful neglect; and
• $1.5 million for uncorrected willful neglect.

The minimum and maximum per violation CMP penalty tier structure remains unchanged.  HHS plans to engage in future rulemaking to further revise the penalty tiers to better reflect the HITECH Act.  The new structure will be in effect until that rulemaking takes place.

The HHS notice of enforcement discretion is available at:

https://www.govinfo.gov/content/pkg/FR-2019-04-30/pdf/2019-08530.pdf