Insight

2018 was a banner year for HIPAA enforcement with the Department of Health and Human Services, Office for Civil Rights reaching an all-time record of $28.7 million in enforcement actions.  2018 surpassed the previous high of $23.5 million in enforcement actions in 2016.  The majority of these enforcement actions resulted from the occurrence of data breaches and other impermissible disclosures of patient information.  A consistent factor in these enforcement actions was the absence of sufficient adherence to the requirements of the HIPAA privacy and security rules relating to appropriate and/or effective policies and procedures.

The civil money penalties for HIPAA are based on a four tier system that was set forth in a 2013 final rule implementing portions of the 2009 HITECH Act. The four tier system takes into account the level of culpability associated with the alleged HIPAA violation. The four tiers range from violations in which a HIPAA covered entity had no knowledge of the alleged violation prior to its occurrence to violations in which the covered entity willfully neglected its HIPAA obligations and failed to correct known violations in a timely manner.  Despite the four tiers being based on the level of culpability of the HIPAA covered entity, each of the four tiers had the same maximum annual civil money penalty limit of $1,500,000.

On Friday, April 26, 2019, HHS released an unpublished rule scheduled for official publication on April, 30, 2019, revising the maximum civil money penalty limits of the four tiers.  The revised limits are set forth below.

Essentially, the new revisions to the rule, limit the total annual penalty amount that a covered entity may incur based on that entity’s level of culpability for the alleged violations. The lower the level of culpability the lower the annual limit for civil money penalties.  This change provides a tangible reward for HIPAA covered entities and business associates that take the time to implement and periodically update policies, procedures and practices aimed at complying with the HIPAA privacy and security rule.

Bill Dillon is Board Certified in Health Law by the Florida Bar and holds the Certified Information Privacy Professional credential (CIPP/US) from the International Association of Privacy Professionals.  He is a member of Gunster’s government affairs and health law practices.

Related Professionals

Jump to Page

Gunster Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek