[BreachExchange] HHS moves to reduce HIPAA fines for less-severe violations

[Destry Winant]

https://www.fiercehealthcare.com/tech/hhs-plans-to-lower-cap-hipaa-fines

The Department of Health and Human Services (HHS) adjusted the
monetary penalties it imposes on healthcare providers, health plans
and their business associates for violating the Health Insurance
Portability and Accountability Act (HIPAA), lowering the annual cap
for the least-severe violation from $1.5 million to $25,000.

HHS said the new tier structure is based on culpability and sets
different annual limits for fines based on four penalty tiers,
according to a notice of enforcement discretion (PDF) issued Friday.
Healthcare organizations that have taken steps to comply with HIPAA
requirements or work quickly to mitigate violations face a smaller
maximum penalty than organizations found neglectful.

Prior to the changes, the annual limit was $1.5 million for every tier.

Matthew Fisher, a partner with Boston-based law firm Mirick O’Connell
and chair of the firm’s health law group, told FierceHealthcare that
reducing the maximum penalties is inconsistent with the direction of
recent Office for Civil Rights (OCR) settlements. "It is arguably good
in terms of aligning potential penalties with the level of
culpability," though, he said.

"If a violation was clearly unintentional and without knowledge, why
should a potentially massive fine follow. While the discretion
existed, the interpretation will now be binding and remove the
potential uncertainty," Fisher said. He added that HIPAA fines only
occur in a vast minority of instances, so the penalty changes, while
grabbing attention, may not have much practical impact.

HHS' OCR had a record year for HIPAA settlements in 2018. OCR settled
10 cases and secured one judgment totaling $28.7 million in fines for
healthcare provider and health-related companies' violations of the
privacy law, 22% higher than the previous record of $23.5 million in
2016.

The Health Information Technology for Economic and Clinical Health Act
(HITECH Act) strengthened HIPAA enforcement by increasing minimum and
maximum potential civil monetary penalties, according to HHS. The
fines were structured into four tiers based on the organizations'
culpability, such as whether organization leaders were aware of the
violation and took steps to address it. The lower tier includes
organizations that were not aware of a HIPAA violation, and the
most-severe category describes "willful neglect" that was not
corrected in a timely manner.

The HITECH Act's fine structure, however, included "apparently
inconsistent language," according to HHS, leading to confusion over
the maximum fine that could be imposed on an organization for each
year a violation persisted. As part of a final rule HHS adopted in
2013, the department set a static maximum cap of $1.5 million per year
that a privacy or security violation was present, regardless of
severity.

"There has always been some confusion about the formal penalty
provisions of the rules. While there are four categories with
different lower level amounts, the rule could be read to make the
higher end the same for all of the categories," Kirk Nahra, a privacy
attorney with WilmerHale, told Fierce Healthcare. "This is an
indication that OCR generally will treat different levels of 'blame'
differently, but that has generally been their practice in any event."

Through its latest enforcement, HHS adjusted the fine structure to
match the increasing levels of culpability.

The penalty structure is now:

- Tier 1 (no knowledge of violation): $100 to $50,000 per violation;
capped at $25,000 per year
- Tier 2 (reasonable cause): $1,000 to $50,000 per violation; capped
at $100,000 per year
- Tier 3 (willful neglect, corrected): $10,000 to $50,000 per
violation: capped at $250,000 per year
- Tier 4 (willful neglect, not corrected): $50,000 per violation;
capped at $1.5 million per year

The annual limit is per year for every year the violation persisted.
For example, an organization that had a security or privacy violation
due to willful neglect that went uncorrected for several years could
still face hefty fines well above $1.5 million.

Former OCR official Deven McGraw, who now serves as the chief
regulatory officer at Ciitizen, broke down what the updated fine
structure would mean for a tier 2 HIPAA violation (reasonable cause).
With the previous interpretation, a healthcare organization that
reported a single breach of 5,500 patient records would face a $1.5
million fine (the total would actually be 5,500 records multiplied by
$1,000 for a total of $5.5 million but it hits the $1.5-million cap).
Under HHS' current interpretation, the fine for that same violation
would be capped at $100,000.

Another example would a hospital flagged with a HIPAA violation for
failing to encrypt mobile devices going back two years. Hospital
leaders recognized it needed to encrypt and had a plan in place but
never executed it. Under the old interpretation, that hospital would
have faced a $730,000 fine, but under the updated structure, the fine
would be capped at $200,000, or $100,000 for each year of the
violation.

HHS plans to use the new penalty tier structure until further notice,
and it expects to engage in future rule-making to revise the penalty
tiers in the current regulation to better reflect the text of the
HITECH Act, HHS said.