On Friday, April 26, 2019, the U.S. Department of Health and Human Services (“HHS”) filed a Notice of Enforcement Decision (the “Notice of Enforcement”), confirming the agency’s reconsideration of its prior interpretation of the Health Information Technology for Economic and Clinical Health Act’s (the “HITECH Act’s”) penalty structure. In doing so, HHS announced the abandonment of a previous annual penalty cap that did not vary based on an entity’s level of culpability.
Effective immediately, the maximum penalty that the HHS Office for Civil Rights (“OCR”) will impose for a particular violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) that occur within a single calendar year has been generally, and significantly reduced. Except for violations that are due to a regulated entity’s willful neglect and have not been timely corrected (which maintain the annual penalty limit of $1.5 million), OCR will impose a lesser annual limit to violations that occur (a) without a regulated entity’s knowledge – and with reasonable diligence it would not have known about the violation; (b) due to reasonable cause and not willful neglect; and (c) due to willful neglect that is timely corrected.
The Notice of Enforcement does not mark the first occasion in which HHS acknowledged ambiguity under the HITECH Act’s tier-based penalty scheme. In 2013, HHS noted the existence of multiple possible legislative interpretations, ultimately issuing a final rule that applied the same cumulative annual limit ($1.5 million) across four violation categories, as illustrated in the chart below:
| 2013 HHS Interpretation | |||
| Culpability | Minimum Penalty/Violation | Maximum Penalty/Violation | Annual Limit |
| No Knowledge | $100 | $50,000 | $1,500,000 |
| Reasonable Cause | $1,000 | $50,000 | $1,500,000 |
| Willful Neglect–Corrected | $10,000 | $50,000 | $1,500,000 |
| Willful Neglect — Not Corrected | $50,000 | $50,000 | $1,500,000 |
Under the Notice of Enforcement, HHS confirmed its determination that “the better reading” instead involves progressively applying annual limits in accordance with the following revised chart:
| Revised HHS Interpretation under the 2019 Notice of Enforcement | |||
| Culpability | Minimum Penalty/Violation | Maximum Penalty/Violation | Annual Limit |
| No Knowledge | $100 | $50,000 | $25,000 |
| Reasonable Cause | $1,000 | $50,000 | $100,000 |
| Willful Neglect–Corrected | $10,000 | $50,000 | $250,000 |
| Willful Neglect — Not Corrected | $50,000 | $50,000 | $1,500,000 |
HHS confirmed that the agency will use the foregoing penalty tier structure, as adjusted for inflation, until further notice.
The revised penalty structure reinforces the notion that prospective HIPAA compliance efforts can have a significant monetary impact in terms of future enforcement.