HHS Increases Penalties for HIPAA Violations

On October 11, 2018, the U.S. Department of Health and Human Services (HHS) published in the Federal Register the 2018 updated civil monetary penalties (CMPs) adjusted for inflation. The adjusted civil monetary penalty amounts apply to penalties assessed on or after October 11, 2018, for violations that occurred on or after November 2, 2015.

The current penalty scheme was established under the Health Information Technology for Clinical and Economic Health Act of 2010 (HITECH). HITECH increased enforcement efforts for HIPAA violations by raising potential penalties and by requiring the Office of Civil Rights (OCR) to impose civil monetary penalties on covered entities or business associates for failures to comply with HIPAA’s privacy and security requirements. The penalty structure established under HITECH is based on a tiered approach, depending on the nature of the violation; an entity’s knowledge of the problem; any attempts at correction; and other potential mitigating or aggravating factors, based on the particular facts and circumstances.

HIPAA Penalties Chart

Since 2011, OCR has conducted investigations and has imposed millions in civil monetary penalties. A list of OCR’s settlement with various entities can be found here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html. Common issues include failures to conduct risk analyses with respect to electronic protected health information (ePHI); failure to enter into business associate agreements; failure to properly safeguard PHI; and failure address known risks to information. Amid some speculation that OCR’s enforcement activity might be slowing down, OCR Director Roger Severino confirmed at a recent conference that enforcement efforts are still on track, and not just with respect to large companies. Severino indicated that OCR will also hold smaller companies accountable for violations of HIPAA privacy and security rule standards.

The annual inflationary adjustment doesn’t reflect a regulatory change, but it serves as a good reminder that civil monetary penalties exist, that they continue to increase, and that OCR has taken an active approach to enforcement over the past several years. There is no excuse for any covered entity or business associate’s failing to understand how HIPAA applies or for neglecting to make every effort necessary to comply with its requirements.

While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept  liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting or other professional advice or services. Readers should always seek professional advice before entering into any commitmen