Quietly, at the end of April, HIPAA was significantly weakened. HHS published what sounds like an innocuous notification in the Federal Register: Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties. This notification is actually an enormous change to the HIPAA penalty structure, a drastic reduction in HIPAA fines.
The existing penalty structure under HIPAA is based on the HITECH Act of 2009, which increased HIPAA’s fines in an attempt to give teeth to HIPAA enforcement. Since HIPAA began being enforced in 2003 until the HITECH Act, fines had barely been issued despite an enormous amount of HIPAA violations. HITECH was Congress’s rebuff to this weak enforcement approach. After HITECH’s more potent penalty structure, HHS finally began issuing fines. The chart below is how HHS has been interpreting the HITECH penalty framework since the HITECH Act:
There were some ambiguities under the HITECH Act as to these penalty tiers, but HHS had long interpreted these tiers according to the above chart. But now, HHS has suddenly changed its mind and adopted a very different interpretation. Under this new interpretation, the penalty tier limits are now as follows:
Notice the new annual limits. There are severe reductions in the annual limits for nearly every category except for uncorrected willful neglect. This change yanks many of the teeth out of HIPAA enforcement.
To be fair, this new penalty structure doesn’t completely undermine HIPAA enforcement. The cap is for violation types, so if there are different types of HIPAA violations, they would each be separate and not fall under the same cap. In many cases, there are multiple HIPAA violations, so fines could still add up. Moreover, the caps are annual caps, and some violations occur across many years. According to an article in Fierce Healthcare: “The annual limit is per year for every year the violation persisted. For example, an organization that had a security or privacy violation due to willful neglect that went uncorrected for several years could still face hefty fines well above $1.5 million.”
In the Fierce Healthcare article, Kirk Nahra (WilmerHale) noted that the Office for Civil Rights (OCR) has already been using culpability as a factor in determining its fines. I’m not sure why HHS suddenly changed its interpretation of the HITECH Act and wants to curtail its own discretion in issuing fines. OCR doesn’t have to impose the maximum penalty; it just has the discretion to do so when it views the penalty as appropriate. It is odd for an agency to tie its own hands and limit its own discretion.
There’s more change to come to HIPAA penalties. According to a quote from OCR Director Roger Severino: “HHS will use this penalty tier structure, as adjusted for inflation, until further notice. . . . HHS expects to engage in future rulemaking to revise the penalty tiers in the current regulation to better reflect the text of the HITECH Act.”
The reduction in fines is an unfortunate maneuver that isn’t really called for. OCR has rarely issued fines. Fines have been issued mostly in cases involving the most egregious violations. There have been about 200,000 HIPAA complaints since 2003, and there are only about 60 cases with fines. Thus, less than 0.03% of all HIPAA complaints have resulted in a fine. Eyeballing the stats on HHS’s website, a significant majority of complaints have lead to OCR requiring corrective action rather than finding no violation. The problem isn’t that HIPAA fines can be too steep; the real problem is that there aren’t more fines.
The most problematic change is the reduction of the annual limit on willful neglect — from $1.5 million to $250,000 per year. Weakening HIPAA fines for willful neglect is a gift to organizations that have been ignoring or showing little regard for HIPAA.
Perhaps it might be time for the states to step up to pass their own health privacy laws that have penalties akin to the old penalty system that HHS is dismantling.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 14-16, 2019 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.