Health care providers may be able to sleep a little easier as the Department of Health and Human Services (HHS) recently announced that it has lowered the maximum civil monetary penalties that can be assessed for certain HIPAA violations.
In 2013, HHS adopted a penalty tier structure which varied based on a health care provider's culpability and mitigation efforts in connection with a HIPAA breach. To address some internal inconsistencies identified in the rulemaking process, HHS adopted a $1.5 million maximum for every penalty tier.
Citing the move as "a matter of enforcement discretion," HHS announced on April 29, 2019, that the $1.5 million maximum for all penalty tiers would be significantly reduced for three of the four penalty tiers. The chart set forth below describes each tier, the previous maximum penalty, and the new maximum penalty. HHS indicated that the new annual limit would be adjusted annually for inflation.
Because the risk of a HIPAA breach is largely a question of "when" and not "if," the prior annual limits for the lower tiers were particularly draconian and inequitable. With a significantly lower annual limit for these lower tier breaches, providers will have greater incentive to take appropriate measures to implement risk management and institute self-imposed corrective action.The announcement comes in the wake of unprecedented HIPAA fines. In 2018, the Office of Civil Rights (which oversees HIPAA enforcement) set a new record by levying a total of $28.7 million in judgments, fines, and settlements. Among those settlements included the largest settlement in history - $16 million with Anthem, Inc. for the 2014-2015 cyber attacks which affected almost 79 million individuals.The new penalty tier structure took effect on April 30, 2019, and will remain in effect indefinitely. HHS also indicated that it intends to engage in future formal rulemaking to revise the penalty tiers, but did not indicate whether such rulemaking activity would be undertaken to formalize the newly-announced structure or to make more significant changes.
Lippes Mathias' multi-disciplinary COVID-19 Resource Team of attorneys has the experience necessary to quickly address the myriad issues businesses are facing as a result of the COVID-19 pandemic. We have been closely monitoring legal developments, business impacts and the financial market to identify ways in which we can assist clients with immediate needs, ensure our clients are aware of and understand the up-to-date guidelines, and help them to protect their business.
Among the topics we have assisted our clients with in this challenging time include, among others:
Reductions in staffing
State and federal PTO issues
Stay at home orders and work from home issues
Wage and hour questions
COVID-19 Response Plans for Businesses
Insurance Coverage Analysis
Force Majeure Issues impacting Leases and Contracts
Supplemental Finance including the SBA Disaster Loan Program