Adam H. Greene (adamgreene@dwt.com) is a Partner in the Washington, DC, office of Davis Wright Tremaine LLP and co-chair of its Health Information Practice Group. Rebecca L. Williams (beckywilliams@dwt.com) is a Partner in the Seattle, WA, office of Davis Wright Tremaine LLP and co-chair of its Health Information Practice Group. Austin Smith (v-austinsmith@dwt.com) is a Project Attorney in the Washington, DC, office of Davis Wright Tremaine LLP.
On April 30, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced that it is lowering the maximum total penalties it may assess against covered entities and business associates for multiple violations of a single Health Insurance Portability and Accountability Act (HIPAA) provision in a single calendar year.[1] Although OCR is likely to continue to vigorously enforce HIPAA, covered entities and business associates now have stronger incentives to demonstrate that any HIPAA violations they face were due to a lack of knowledge or to reasonable cause, as well as to take actions to correct any violations within 30 days. These steps may allow the entity to qualify for significantly lower annual caps on the penalties they face. Before this announcement, a covered entity or business associate could have faced up to $1.7 million in penalties in a single year for violations of the same HIPAA provision that it reasonably did not know about.[2] Now that maximum is being lowered to $28,526 per year—a 6,000% decrease!
The confusion of the HITECH Act
OCR’s decision stems from a re-interpretation of the Health Information Technology for Economic and Clinical Health (HITECH) Act’s unclear language about annual caps on continuing violations of the same HIPAA provision.
The HITECH Act lays out a penalty scheme in which there are four levels of penalties and four levels of culpability.[3] But for the first three levels of culpability, there is both a minimum penalty and corresponding annual cap for multiple violations of the same HIPAA provision, and a maximum penalty and corresponding annual cap.
The HITECH Act’s four levels of culpability with respect to HIPAA penalties are:
-
The person did not know (and by exercising reasonable diligence would not have known) that such person violated the HIPAA provision (hereafter “No Knowledge”);
-
It is established that the violation was due to reasonable cause and not to willful neglect (hereafter “Reasonable Cause”);
-
It is established that the violation was due to willful neglect and the violation was corrected within the 30-day period beginning on the first date the person liable for the penalty or damages knew, or by exercising reasonable diligence would have known, that the failure to comply occurred (hereafter “Willful Neglect-Corrected”); and
-
It is established that the violation was due to willful neglect and the violation was not corrected within the 30-day period beginning on the first date the person liable for the penalty or damages knew, or by exercising reasonable diligence would have known, that the failure to comply occurred (hereafter “Willful Neglect-Not Corrected”).
Table 1 sets forth the HITECH Act’s minimum and maximum civil monetary penalties (CMP) for each level of culpability.
| Level of culpability | Minimum CMP per violation | Minimum annual cap | Maximum CMP per violation | Maximum annual cap |
|---|---|---|---|---|
| No knowledge | $100 | $25,000 | $50,000 | $1,500,000 |
| Reasonable cause | $1,000 | $100,000 | $50,000 | $1,500,000 |
| Willful neglect – Corrected | $10,000 | $250,000 | $50,000 | $1,500,000 |
| Willful neglect – Not corrected | $50,000 | $1,500,000 | HITECH Act does not specify a maximum | |
The problem is whether to apply the minimum annual cap, the maximum annual cap, or some combination of the two. For example, if a covered entity falls under the lower level of culpability (No knowledge), then the range of penalties for each violation is a minimum of $100 and a maximum of $50,000. The question is whether the annual cap for multiple violations of the same provision is $25,000 or $1.5 million. If you apply the $25,000 annual cap, then you get the seemingly absurd result that the statute provides that a single violation can be penalized up to $50,000, but the annual cap is half that amount ($25,000). If you apply the $1.5 million cap, however, then you seemingly make the $25,000 cap meaningless. You also could try to apply them both, finding that violations that are assessed at the minimum ($100) are subject to a $25,000 cap, violations assessed at the maximum ($50,000) are subject to a $1.5 million cap, and violations that are assessed at an amount in between (e.g., $10,000) are subject to some annual cap in between the maximum and minimum (e.g., $300,601).
