HHS Increases Penalties for HIPAA Noncompliance, Effective August 1

Practical Law Legal Update w-003-3355 (Approx. 6 pages)

HHS Increases Penalties for HIPAA Noncompliance, Effective August 1

by Practical Law Employee Benefits & Executive Compensation

Published on 06 Sep 2016 • USA (National/Federal)

The Department of Health and Human Services (HHS) has issued interim final regulations that adjust the civil money penalties for provisions under HHS's jurisdiction, as required under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.

On September 2, 2016, HHS issued interim final regulations that adjust for inflation the maximum civil money penalties (CMP) that fall under HHS's jurisdiction, including for certain violations of the Health Insurance Portability and Accountability Act (HIPAA) (81 Fed. Reg. 61538) (see HIPAA Privacy, Security, and Breach Notification Toolkit and Practice Note, HIPAA Enforcement and Group Health Plans: Penalties and Investigations). The regulations reflect changes required by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 (Act). The Act required HHS to:

Adjust the level of CMPs with an initial "catch-up" adjustment, through regulations.
Make subsequent annual adjustments for inflation.

In related guidance, the Department of Labor (DOL) issued interim final regulations this past June to adjust the amounts of civil penalties assessed under the DOL's regulations (see Legal Update, DOL Increases Civil Money Penalties, Effective August 1).

Adjustments under the Act were required to take effect by August 1, 2016, and HHS's CMP adjustment regulations are effective on September 6, 2016. HHS issued its regulations for immediate implementation, and without the notice and comment procedures that normally accompany new regulations.

Under prior rules, CMP adjustments required significant rounding of figures and penalty increases were capped at ten percent. The Act removed the rounding rules (that is, so penalties are now simply rounded to the nearest dollar).

Reset of Inflation Adjustments

The Act "resets" the inflation calculations by excluding adjustments under an earlier inflationary adjustment act. This process required HHS to identify, for each penalty within its jurisdiction, the year and corresponding amount(s) for which the maximum penalty level or range of minimum and maximum penalties was either:

Established (that is, as originally enacted by Congress).
Last adjusted (other than under the Act).

Applicability of Increased Penalties Under the Act

Under the regulations, the adjusted penalty amounts apply only to CMPs assessed after August 1, 2016, whose associated violations occurred after November 2, 2015 (that is, the Act's enactment date). As a result, violations occurring on or before November 2, 2015, and assessments made prior to August 1, 2016, whose associated violations occurred after November 2, 2015, continue to be subject to either:

The CMP amounts under existing regulations.
The amount under the statute, if a penalty had not yet been adjusted by regulations.

The regulations and introductory material include initial catch-up adjustments for CMPs, and the Act requires HHS to publish annual adjustments by January 15 of every year.

Increased Penalty Amounts

In issuing its regulations, HHS provided a table reflecting how penalties for violations of provisions administered by HHS's agencies are being increased under the Act. The chart includes:

The statutory and regulatory citations for each provision.
A short description of the penalty.
Penalty amounts as they existed before inflationary adjustments made by the effective date of HHS's regulations.
The amount and year of the penalty as:
- enacted by Congress; or
- changed through an adjustment other than the Act.
A percentage increase based on a multiplier, and a resulting penalty increase.
A "maximum adjusted penalty" that is the sum of the existing penalty and the increased amount.

Increased CMPs Involving HIPAA Violations

Several of the HHS penalty adjustments under the Act involve HIPAA compliance. For example, the maximum adjusted penalty for each pre-February 18, 2009 violation of HIPAA's administrative simplification provisions is $150 (increased from $100). (February 18, 2009 was the effective date of certain increased penalties for HIPAA violations under the Health Information Technology for Economic and Clinical Health (HITECH) Act.)

In addition, the maximum adjusted penalty for each February 18, 2009 or later violation of HIPAA's administrative simplification provisions, if it is established that a covered entity (CE) or business associate (BA) did not know (and by exercising reasonable diligence would not have known) that the CE or BA violated the provision, is:

$110 (increased from $100).
$55,010 (increased from $50,000).

Respectively, the above amounts (and the ones described below addressing HIPAA compliance), are the minimum and maximum amounts per violation. (Regarding HIPAA CEs and BAs, see Practice Note, HIPAA Privacy Rule.) HHS's regulations also include increases in calendar year caps for the violations discussed in this section.

$1,100 (increased from $1,000).
$55,010 (increased from $50,000).

The maximum adjusted penalty for each February 18, 2009 or later violation of HIPAA's administrative simplification provisions, if it is established that the violation was due to willful neglect and corrected during the 30-day period beginning on the first date the CE or BA knew (or by exercising reasonable diligence would have known) that the violation occurred, is:

$11,002 (increased from $10,000).
$55,010 (increased from $50,000).

The maximum adjusted penalty for each February 18, 2009 or later violation of HIPAA's administrative simplification provisions, if it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the CE or BA knew (or by exercising reasonable diligence would have known) that the violation occurred, is:

$55,010 (increased from $50,000).
$1,650,300 (increased from $1,500,000).

Increased Penalties for Non-HIPAA Violations

The maximum adjusted penalty for failing to provide summaries of benefits and coverage (under the ACA) is $1,087 (increased from $1,000) (see Practice Note, Summaries of Benefits and Coverage Under the ACA). The maximum annual penalty for violations of the ACA's medical loss ratio reporting and rebating rules is $109 (increased from $100) (see Legal Update, Guidance on Plan Asset Implications of Medical Loss Ratio Rebates).

The maximum adjusted penalty for an employer (or other entity) that offers a financial or other incentive for an individual who is entitled to benefits not to enroll under a group health plan or large group health plan that would be a primary plan is $8,908 (increased from $5,000).

The maximum adjusted penalty for any entity serving as an insurer, third party administrator (TPA), or fiduciary for a group health plan that fails to provide information identifying situations where the group health plan is (or was) a primary plan to Medicare to HHS is $1,138 (increased from $1,000).

Additional maximum adjusted penalties apply for provisions involving the ACA's health insurance exchange (see Article, Health Insurance Exchange and Related Requirements Under the ACA).

Practical Impact

Though required under the Act, the increased HIPAA penalties under HHS's regulations go into effect during a period of especially aggressive HHS enforcement of HIPAA's privacy and security standards (for example, see Legal Update, HHS Claims a Record Haul With $5.55 Million HIPAA Settlement), and will only add to the expense of HIPAA noncompliance for CEs and BAs.

Particularly given the immediate implementation timeframe under these regulations, practitioners must be aware of the increased HHS penalties to properly advise clients on their potential liability for violations of the statutes or regulations impacted by the Act (as described above).

HHS Increases Penalties for HIPAA Noncompliance, Effective August 1 | Practical Law