Enhanced Penalties and Stiffer Enforcement for HIPAA Violations
In our two prior posts concerning the Final Omnibus Rule under HIPAA we focused on changes to the breach notification requirements and rule changes affecting business associates. We now turn to the augmented penalty and enforcement provisions incorporated in the Final Rule. Many commentators have perceived stepped up enforcement activity by the U.S. Department of Health and Human Services ("HHS") and the changes in the penalty and enforcement provisions suggest that there will be much more of that to come.
Under HIPAA covered entities and business associates can be subject to both civil and criminal penalties for violations for privacy and security requirements. Prior to the HITECH Act, HIPAA authorized civil monetary penalties of up to $100 per violation, with a maximum aggregate penalty of $25,000 per year for any given violation. Moreover, civil penalties were generally imposed only in egregious cases – with the Office of Civil Rights (the division of HHS charged with HIPAA enforcement) essentially directed first to use other means to assist in the correction of violations and to resolve complaints. The Final Rule incorporates the increases in civil penalties authorized under the HITECH Act and introduces a tiered penalty structure designed to reflect the nature and circumstances of the violation.
Under the Final Rule the maximum penalty for a given HIPAA violation is $1.5 million, and the penalty to be assessed corresponds to the level of culpability that characterizes the violation:
- If the covered entity or business associate did not know of the violation and would not have known of the violation by exercising reasonable due diligence, a civil penalty of $100 to $50,000 per violation may be assessed.
- If the violation was due to "reasonable cause" (defined as an act or omission that "a covered entity or business associate knew, or by exercising reasonable due diligence would have known" violated a HIPAA provision, but that does not constitute willful neglect), the civil penalty will be $1,000 to $50,000 per violation.
- If the violation was the result of willful neglect, but was corrected within 30 days of discovery, a civil penalty of $10,000 to $50,000 per violation may be assessed.
- If the violation was the result of willful neglect and was not corrected in a timely fashion, the civil penalty will be $50,000 to $1.5 million per violation.
Note that the penalties assessed against a covered entity or business associate may well exceed $1.5 million if multiple HIPAA requirements have been violated because each category of violation may be counted separately (in addition to counting multiple violations of the same provision).
Importantly, the Final Rule provides an affirmative defense for any violation in tier 1 (unknown and "unknowable" violations) and tier 2 (violations due to "reasonable cause") if the violation is corrected within 30 days of the date the covered entity or business associate learned or should have learned of the violation. The Final Rule allows some discretion to expand this 30 day time period depending upon the nature and extent of the covered entity's or business associate's failure to comply.
The Final Rule also makes two changes to the HIPAA enforcement scheme that would appear to foreshadow increases in both the severity and potential scope of enforcement activity. First, HHS is no longer required to attempt to informally resolve complaints. Rather, the Final Rule gives HHS discretion to determine whether it will attempt informal resolution of a complaint or proceed with a formal penalty assessment process right away. (Indeed, given the structure of the civil penalty tiers, it would appear that a penalty is to be assessed unless the covered entity or business associate can show that the violation was not due to willful neglect and was corrected within 30 days.) Second, subject to the applicable limitations of HIPAA, HHS may now share information gathered in any investigation or compliance review with other law enforcement agencies (such as state Attorney General offices) that might have an interest in pursuing their own investigations.
One final observation for employers that sponsor self-funded group health plans. The Final Rule expressly provides for the assessment of civil penalties against a covered entity for HIPAA violations committed by a business associate acting as its agent. In determining whether an "agency" relationship exists, HHS will apply federal common law principles concerning a covered entity's "right or authority to control" a business associate to determine whether the business associate is acting as an agent (regardless of the whether a business associate agreement is in place). This means that employers - who essentially act as surrogates for their self-funded group health plans for HIPAA purposes - will need to be more vigilant than ever in monitoring the activities of their business associates and should seek to enhance the contractual protections that can be negotiated into business associate agreements (for example, through indemnification provisions).
Clearly, in the area of HIPAA enforcement, the honeymoon is over.