On April 26, 2019, the U.S. Department of Health and Human Services (HHS) issued a Notification of Enforcement Discretion (Notice) regarding imposition of Civil Money Penalties (CMPs) under HIPAA. In the Notice, HHS announces that it has revisited its prior interpretation of the standards for assessment of CMPs under the HITECH Act, and is exercising its discretion to reduce the maximum amount of CMPs that may be assessed annually for HIPAA violations based on culpability.

The official version of the Notice is dated April 30, 2019 and is available here.

The HITECH Act established four tiers of culpability for HIPAA violations:
1. the entity/individual did not know (and, by exercising reasonable diligence would not have known) that such entity/individual violated the provision;
2. the violation was due to reasonable cause (and not to willful neglect);
3. the violation was due to willful neglect that is timely corrected; or
4. the violation was due to willful neglect that is not timely corrected.

The HITECH Act also set forth tiers of penalties for violations corresponding to the four levels of culpability. The language of the HITECH Act created ambiguity about the cap on CMPs for all violations of a particular HIPAA requirement within a calendar year, which HHS acknowledged in 2009. As part of its Omnibus Rule finalized in 2013, HHS finalized regulations under which the limit for all violations of an identical provision of the HIPAA regulations in a single year would be $1.5 million.

HHS now states in its Notice that “[u]pon further review” of the HITECH Act, it “has determined that the better reading of the HITECH Act is to apply annual limits” as follows:

The above CMP tier structure will be used by HHS until further notice, provided that the amounts will be adjusted annually for inflation in accordance with the Bipartisan Budget Act of 2015. Per the Notice, HHS expects to engage in further rulemaking to revise its HIPAA regulations accordingly.

The Notice represents a welcome development for HIPAA-regulated organizations and individuals at a time when HHS has been increasingly pursuing high-dollar penalties for HIPAA violations.

Interestingly, the Notice also comes less than a month after MD Anderson Cancer Center petitioned the U.S. Court of Appeals for the Fifth Circuit to review HHS’s imposition of $4.35 million in CMPs for HIPAA violations occurring in 2012 and 2013 (see our discussion of that petition here). In that case, HHS alleged that MD Anderson committed ‘second tier’ HIPAA violations (due to reasonable cause but not willful neglect) and assessed calendar-year maximum penalties of $1.5 million for one violation occurring during two calendar years, and $1.348 million for another violation occurring over the course of almost one calendar year. Under the Notice, the per-year maximum penalties for violations of the second culpability tier would be significantly less than those imposed on MD Anderson. Moreover, HHS expressly acknowledges that its new penalty structure represents a “better reading” of the HITECH Act. It therefore remains to be seen whether the Notice will enable MD Anderson, or others, to reduce HIPAA penalties assessed under HHS’s previous interpretation.