The HHS Office of Civil Rights (“OCR”) closed out the month of April with some updates to HIPAA civil monetary penalty (“CMP”) limits and clarifications to OCR’s stance on the Privacy Rule’s application to transfers of electronic protected health information (“ePHI”) to third-party applications and application programming interfaces (“APIs”).
Differential CMP Caps Based on Enforcement Discretion
Under the current HIPAA Enforcement Rule, HHS employs a four-tier level of culpability scale in line with the HITECH Act. These four tiers correspond to appropriate CMPs ranges for violations by covered entities and business associates of the HIPAA Privacy and Security Rules. These penalty tiers are adjusted for inflation pursuant to the cost-of-living formula set forth in the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.
For instance, if a person did not know and, by exercising reasonable diligence, would not have known that the person violated the applicable HIPAA provision, the CMP range the person could be levied was $100-$50,000 for each identical violation, up to a maximum of $1.5 million for all such violations annually (before adjusted for inflation). The $1.5 million annual cap on CMPs for HIPAA violations applied across all four tiers, even though the minimum penalties for each tier increased in amount.
Since HHS began using this four-tier structure, however, there has been debate about whether the HITECH Act mandates different annual CMP caps for each of the tiers. OCR’s April 30, 2019 Federal Register Notice changes HHS’s prior position on this, and now imposes the following annual caps on CMPs for HIPAA violations:.
- $25,000 (Tier 1 – no knowledge)
- $100,000 (Tier 2 – reasonable cause)
- $250,000 (Tier 3 – willful neglect/corrected)
- $1.5 million (Tier 4 – willful neglect/not corrected).
What is odd is that the maximum penalty for each tier remains at $50,000 as of the date of the Federal Register Notice. This does not appear to make sense given that the annual limit for Tier 1 violations is $25,000. Nevertheless, HHS will follow this structure “until further notice,” which means there still may be some cleaning up to do.
New FAQ Responses to Clarify Patient Access Rights Under HIPAA
On April 18, 2019, OCR published responses to five Frequently Asked Questions (the “FAQs”) regarding the analysis of a patient’s right of access to his or her ePHI through third-party apps and APIs. Covered entities should take these FAQs into account when responding to the proposed rules on information blocking released by the Office of the National Coordinator for Health Information Technology (“ONC”) and the Centers for Medicare & Medicaid Services’ proposed rules on Interoperability and Patient Access, which are now due June 3, 2019. These proposed rules encourage patient access to ePHI via APIs and the FAQs attempt to address some of the questions OCR has received regarding how to balance HIPAA compliance with patient access via new transmission and storage modalities for ePHI.
Overall, the FAQs clarify the scope of covered entities’ responsibility to comply with patients’ requests to direct their ePHI to third parties pursuant to 45 CFR § 164.524 and their liability for any breaches to that ePHI after its transfer. The main points that covered entities should glean from the FAQs are:
- Covered entities cannot refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives.
- Covered entities or their business associates (e.g., an EHR system developer) that did not develop or provide a third-party app that “creates receives, maintains, or transmits ePHI on behalf of the covered entity”:
- are not required to enter into a business associate agreement (“BAA”) with the third-party app or API developer; and
- are not liable under the HIPAA Rules for a subsequent impermissible disclosure by the third-party app or API.
- Covered entities would not be responsible for unauthorized access to the individual’s ePHI while in transmission to a third-party app or API, even if it is transferred via an unsecure manner or unsecure channel.
The new FAQs became necessary as patients increasingly sought to have ready access to their ePHI and related data through mobile apps and devices that are distinct from those provided by covered entities. Covered entities, in an abundance of caution, often refused to send ePHI to third-party apps and APIs because they were concerned about being liable to breaches of any ePHI after it was transferred.
With these new FAQs, covered entities and their business associates have more clarity regarding their obligations under the HIPAA Privacy Rules. Moreover, it is arguable that the release of the FAQs provides constructive notice to covered entities, and developers of third-party apps and APIs that engaging in practices that contradict OCR’s responses could constitute information blocking, which we have profiled in numerous previous posts.