Secure and protected medical records. Bar code added to folder, not actual patient information. Concept image. Narrow depth of field.On April 26, 2019, the U.S. Department of Health & Human Services (HHS) issued an announcement that the annual penalty cap for three of the four tiers of HIPAA violations would be reduced significantly to match what HHS called a “better reading” of inconsistent language found in the Health Information Technology for Economic and Clinical Health Act’s (HITECH) penalty scheme.

When enacted in 2009, Section 13410(d) of HITECH established four categories for HIPAA violations, with penalty tiers commensurate with the level of culpability for each violation.

  • Tier 1 violations are described as those where the person did not know (and, by exercising reasonable diligence, would not have known) that he or she violated the provision. Tier 1 violations were capped at $25,000 per calendar year.
  • Tier 2 violations are those where “the violation was due to reasonable cause, and not willful neglect.” Tier 2 violations were capped at $100,000 per calendar year.
  • Tier 3 violations are those due to willful neglect that is timely corrected. Tier 3 violations were capped at $250,000 per year.
  • Tier 4 violations are those that occurred due to willful neglect that is not timely corrected. Tier 4 violations were capped at $1.5 million per year.

In 2013, HSS Office of Civil Rights (OCR) implemented a final rule allowing for enhancements of HITECH’s penalty provisions. Under the enhanced penalty scheme, while the range of penalties for each violation continued to differ by tier, the total yearly cap for all violations under all tiers was now $1.5 million – formerly only applicable to the most aggravated violations.

When this enhanced penalty scheme was adopted, HSS OCR identified concerns expressed by some commenters that by imposing a $1.5 million cap for every penalty tier, the “penalty scheme is inconsistent with the HITECH Act’s establishment of different tiers based on culpability because the outside limits were the same for all culpability categories[,] and this ignored the outside limits set forth by the HITECH Act within the lower penalty tiers, rendering those limits meaningless.” 78 FR at 5583. HHS responded by stating that it believed “that the penalty amounts are appropriate and reflect the most logical reading of the HITECH Act, which provides the Secretary with discretion to impose penalties for each category of culpability up to the maximum amount described in the highest penalty tier.” Id.

However, on April 26, HHS OCR stated that “[u]pon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits as … : $25,000 for no knowledge, $100,000 for reasonable cause, $250,000 for corrected willful neglect, and $1,500,000 for uncorrected willful neglect.” The table below shows the figures now applicable, which HHS will use “as adjusted for inflation”:

According to the April 26 notice, these updated annual caps are interim figures pending further rulemaking. In the meantime, these revisions represent a significant reduction in potential liability for entities not cited for the most grievous violations, and particularly those which had no knowledge of the violations alleged.