HHS Increases Penalties for HIPAA Violations

HHS Increases Penalties for HIPAA Violations

Share
[subscribe2 hide="unsubscribe"]

Volume 39 | Issue 146

pdf icon Download this For Your Information as a printable PDF

Earlier this year the Department of Health & Human Services announced increased civil monetary penalties for violations of the HIPAA privacy and security rules (the “administrative simplification” rules). The new penalties reflect a 10.02 percent increase over the prior amounts and include a “catch-up” inflation adjustment. Inflation adjustments will now be issued on an annual basis, no later than January 15 each year.

Background

The Federal Civil Penalties Inflation Adjustment Act of 1990 established a mechanism for updating various penalties to reflect inflation in an effort to maintain their deterrent effect, but adjustments were historically infrequent because of certain rounding rules. The last time the HIPAA penalties were increased was in 2009.

On November 2, 2015, Congress enacted the Federal Civil Monetary Penalties Inflation Adjustment Act Improvements Act (2015 Act) to require federal agencies to make “catch-up” inflation adjustments. The catch-up increase, generally effective for penalties assessed after August 1, 2016, is capped at 150 percent of the November 2, 2015, level. The 2015 Act also replaced the previous rounding convention for penalty inflation adjustments to provide for rounding to the nearest dollar for all penalty amounts.

The Department of Health & Human Services (HHS) will issue subsequent cost-of-living adjustments under the 2015 Act, determined by fluctuations in the Consumer Price Index for all Urban Consumers (CPI-U). Similar increased penalties for ERISA compliance violations were announced on July 1, 2016 (see our July 18, 2016 For Your Information).

Interim Final Rule with Inflation “Catch-up” Adjustment Amounts

HHS announced its interim final rule on September 6, 2016, setting forth the civil monetary penalties to be enforced or assessed by the agency, including those for HIPAA violations. Because the 2015 Act specifies that adjustments must be effective no later than August 2, 2016, and provides a clear methodology for calculating the adjustments, HHS indicated that the rule was to be implemented without prior notice or provision for additional comment.

The following penalties reflect a 10.02 percent increase over the prior penalties, and apply to violations that occurred after November 2, 2015, and where the penalties were assessed after August 1, 2016.

Violation Category Each Violation All such violations of an identical provision in a calendar year
The Covered Entity or Business Associate did not know and by exercising reasonable diligence, would not have known that a violation occurred $     110 – $55,010 $1,650,300
The violation was due to reasonable cause and not to willful neglect $  1,100 – $55,010 $1,650,300
The violation was due to willful neglect, and timely corrected (generally within 30 days after the covered entity or business associate knew or should have known about the violation) $11,002 – $55,010 $1,650,300
The violation was due to willful neglect, but not timely corrected $ 55,010 $1,650,300

 

In Closing

HHS, through the Office of Civil Rights, is currently conducting Phase Two of its HIPAA Audit Program (Phase One occurred in 2012). In August, it announced that it had begun a broader initiative to investigate the root causes of breaches affecting fewer than 500 individuals. Because of this increased enforcement activity and higher penalties, employers sponsoring self-funded health plans need to ensure that their health plans are HIPAA-compliant to avoid unnecessary surprises and/or penalties.

Produced by the Knowledge Resource Center of Conduent Human Resource Services

The Knowledge Resource Center is responsible for national multi-practice compliance consulting, analysis and publications, government relations, research, surveys, training and knowledge management. For more information, please contact your account executive or email fyi@conduent.com.

You are welcome to distribute FYI® publications in their entireties. To manage your subscriptions, or to sign up to receive our mailings, visit our Subscription Center.

This publication is for information only and does not constitute legal advice; consult with legal, tax and other advisors before applying this information to your specific situation.