Volume 39 | Issue 146
Download this For Your Information as a printable PDF
Earlier this year the Department of Health & Human Services announced increased civil monetary penalties for violations of the HIPAA privacy and security rules (the “administrative simplification” rules). The new penalties reflect a 10.02 percent increase over the prior amounts and include a “catch-up” inflation adjustment. Inflation adjustments will now be issued on an annual basis, no later than January 15 each year.
Background
The Federal Civil Penalties Inflation Adjustment Act of 1990 established a mechanism for updating various penalties to reflect inflation in an effort to maintain their deterrent effect, but adjustments were historically infrequent because of certain rounding rules. The last time the HIPAA penalties were increased was in 2009.
On November 2, 2015, Congress enacted the Federal Civil Monetary Penalties Inflation Adjustment Act Improvements Act (2015 Act) to require federal agencies to make “catch-up” inflation adjustments. The catch-up increase, generally effective for penalties assessed after August 1, 2016, is capped at 150 percent of the November 2, 2015, level. The 2015 Act also replaced the previous rounding convention for penalty inflation adjustments to provide for rounding to the nearest dollar for all penalty amounts.
The Department of Health & Human Services (HHS) will issue subsequent cost-of-living adjustments under the 2015 Act, determined by fluctuations in the Consumer Price Index for all Urban Consumers (CPI-U). Similar increased penalties for ERISA compliance violations were announced on July 1, 2016 (see our July 18, 2016 For Your Information).
Interim Final Rule with Inflation “Catch-up” Adjustment Amounts
HHS announced its interim final rule on September 6, 2016, setting forth the civil monetary penalties to be enforced or assessed by the agency, including those for HIPAA violations. Because the 2015 Act specifies that adjustments must be effective no later than August 2, 2016, and provides a clear methodology for calculating the adjustments, HHS indicated that the rule was to be implemented without prior notice or provision for additional comment.
The following penalties reflect a 10.02 percent increase over the prior penalties, and apply to violations that occurred after November 2, 2015, and where the penalties were assessed after August 1, 2016.
| Violation Category | Each Violation | All such violations of an identical provision in a calendar year |
| The Covered Entity or Business Associate did not know and by exercising reasonable diligence, would not have known that a violation occurred | $ 110 – $55,010 | $1,650,300 |
| The violation was due to reasonable cause and not to willful neglect | $ 1,100 – $55,010 | $1,650,300 |
| The violation was due to willful neglect, and timely corrected (generally within 30 days after the covered entity or business associate knew or should have known about the violation) | $11,002 – $55,010 | $1,650,300 |
| The violation was due to willful neglect, but not timely corrected | $ 55,010 | $1,650,300 |
In Closing
HHS, through the Office of Civil Rights, is currently conducting Phase Two of its HIPAA Audit Program (Phase One occurred in 2012). In August, it announced that it had begun a broader initiative to investigate the root causes of breaches affecting fewer than 500 individuals. Because of this increased enforcement activity and higher penalties, employers sponsoring self-funded health plans need to ensure that their health plans are HIPAA-compliant to avoid unnecessary surprises and/or penalties.