Buck Bond Group
HHS Adjusts Penalties for HIPAA Violations

HHS Adjusts Penalties for HIPAA Violations

by and Tags: ,

Volume 41 | Issue 79

Download this FYI as a printable PDF

The HHS has announced its annual inflation-related adjustments to civil monetary penalties for violations of the HIPAA Privacy and Security Rules. These penalties reflect a 2.041 percent increase over the prior amounts and are effective as of October 11, 2018.

Background

The amount of civil monetary penalties for HIPAA violations was last increased by the Department of Health & Human Services (HHS) in 2016 (see our November 29, 2016 For Your Information), but inflation-based adjustments are made on an annual basis, with the most recent in February 2017. These adjustments are intended to serve as a deterrent and to improve the effectiveness of monetary penalties in general. The Federal Civil Penalties Inflation Adjustment Act was passed in 1990 to provide agencies with a means for adjusting monetary penalties to reflect inflation. In practice, adjustments were rarely made, and therefore Congress passed the Federal Civil Monetary Penalties Inflation Adjustment Act Improvements Act (2015 Act) on November 2, 2015, requiring agencies to make “catch-up” adjustments on an annual basis. Inflation cost-of-living adjustments are determined by the percent increase in the Consumer Price Index for all Urban Consumers (CPI-U) during October of the previous year if the amount of each civil penalty was established or modified during that year. As announced by the Office of Management and Budget (OMB) on December 15, 2017, the cost-of-living adjustment multiplier for 2018 is 1.02041.

Final Rule

HHS published its final rule on October 11, 2018, announcing the penalty adjustments. In accordance with the 2015 Act and OMB implementation guidance, public notice and opportunity for comment is not required, and the new penalty amounts are effective immediately. The new amounts apply only to penalties assessed on or after October 11, 2018, for violations occurring on or after November 2, 2015.

Violation Category

Each Violation

All such violations of an identical provision within a calendar year

Covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that violation occurred

$114 to $57,051

$1,711,533

Violation due to reasonable cause and not willful neglect

$1,141 to $57,051

$1,711,533

Violation due to willful neglect, and timely corrected (generally within 30 days after the covered entity or business associate knew or should have known)

$11,410 to $57,051

$1,711,533

Violation due to willful neglect, but not timely corrected

$57,051 to $1,711,533

$1,711,533

In Closing

HHS’s Office of Civil Rights (OCR) has continued actively enforcing HIPAA in 2018, handing down several large settlements, including one last month for nearly one million dollars. Given OCR Director Roger Severino’s previously stated intent to cast a wide net in looking for HIPAA violations, it would be prudent to ensure compliance efforts are up-to-date to avoid the possibility of audits and/or penalties.