Enter to open, tab to navigate, enter to select
HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective November 5, 2019
Practical Law Legal Update w-022-7377 (Approx. 9 pages)
HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective November 5, 2019
by Practical Law Employee Benefits & Executive Compensation
| Published on 05 Nov 2019 • USA (National/Federal) |
The Department of Health and Human Services (HHS) has issued final regulations that include the agency's annual inflation adjustments to civil money penalties assessed under its regulations, as required by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The final regulations, which are effective November 5, 2019, include updated penalties for certain violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HHS has issued final regulations containing inflation adjustments to civil money penalties that HHS administers, including penalties for violations of HIPAA's "administrative simplification" rules (84 Fed. Reg. 59549 (Nov. 5, 2019); see HIPAA Privacy, Security, and Breach Notification Toolkit and Practice Note, HIPAA Enforcement: Penalties and Investigations). (Administrative simplification generally refers to HIPAA's privacy, security, and other requirements – including rules to standardize how health plan data is exchanged.)
The inflation adjustments are required under the Federal Civil Penalties Inflation Adjustment Act of 1990, as amended by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 (Inflation Adjustment Act). The Inflation Adjustment Act revised the method for calculating inflation adjustments for penalty increases and requires HHS to annually adjust its penalties for inflation (under a cost-of-living formula) by January 15 of each year.
HHS Penalty Regulations Under the Inflation Adjustment Act
As background, HHS issued interim final regulations in September 2016 that established an initial catch-up for civil money penalties that HHS administers (81 Fed. Reg. 61538 (Sept. 2, 2016); see Legal Update, HHS Increases Penalties for HIPAA Noncompliance, Effective August 1). The adjustments were required to take effect by August 1, 2016, and HHS's interim final regulations were effective on September 6, 2016. In February 2017, HHS published final regulations with HHS's 2017 annual inflation adjustment to its civil money penalties (82 Fed. Reg. 9174 (Feb. 3, 2017)). Notice-and-comment rulemaking procedures under the Administrative Procedure Act (APA) are not required for the annual adjustments (5 U.S.C. § 553).
HHS published final regulations in October 2018 with the 2018 annual inflation adjustment to its civil money penalties (83 Fed. Reg. 51369 (Oct. 11, 2018); see Legal Update, HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective October 11, 2018).
The final regulations issued in November 2019 include HHS's 2019 annual inflation adjustment to its civil money penalties.
Effective Date of 2019 Annual Adjustments
The final regulations are effective November 5, 2019. The adjusted penalty amounts apply to penalties assessed on or after November 5, 2019, if the violation occurred on or after November 2, 2015 (that is, the Inflation Adjustment Act's enactment date). The penalty amounts in effect before September 6, 2016, apply if either:
- The violation occurred before November 2, 2015.
- The penalty was assessed before September 6, 2016.
Adjustment Process and Calculation
The annual adjustment is based on the Consumer Price Index for All Urban Consumers (CPI-U). In general, an adjustment is calculated using the percent change between the:
- October CPI-U preceding the date of the adjustment.
- Prior year's October CPI-U.
The cost-of-living adjustment multiplier for 2019, based on the CPI-U for October 2018 (not seasonally adjusted), is 1.02522 (see OMB Memorandum M-19-04 (Dec. 14, 2018)). To calculate the 2019 annual adjustment, HHS multiplied the most recent penalty amount for each applicable penalty by the multiplier, 1.02522, and rounded to the nearest dollar.
Table of Adjusted Civil Money Penalties
The following table reflects certain of HHS's annual inflation adjustments to the civil money penalties for HHS-administered provisions, which are generally effective November 5, 2019.
Statutory and Regulatory Provisions | Description of Violation | Adjusted Penalty Amount |
Pre-February 18, 2009, violations of HIPAA's administrative simplification provisions. (February 18, 2009, was the effective date of certain increased penalties for HIPAA violations under the Health Information Technology for Economic and Clinical Health Act (HITECH Act).) | $159 $39,936 (calendar year cap) | |
February 18, 2009, or later violations of HIPAA's administrative simplification provisions, if it is established that a HIPAA covered entity (CE) or business associate (BA) did not know (and by exercising reasonable diligence would not have known) that the CE or BA violated the provision. | $117 (minimum) $58,490 (maximum) $1,754,698 (calendar year cap) | |
February 18, 2009, or later violations of HIPAA's administrative simplification provisions, if it is established that the violation was due to reasonable cause and not willful neglect. | $1,170 (minimum) $58,490 (maximum) $1,754,698 (calendar year cap) | |
February 18, 2009, or later violations of HIPAA's administrative simplification provisions, if it is established that the violation was due to willful neglect and was corrected during the 30-day period beginning on the first date the CE or BA knew (or by exercising reasonable diligence would have known) that the violation occurred. | $11,698 (minimum) $58,490 (maximum) $1,754,698 (calendar year cap) | |
February 18, 2009, or later violations of HIPAA's administrative simplification provisions, if it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the CE or BA knew (or by exercising reasonable diligence would have known) that the violation occurred. | $58,490 (minimum) $1,754,698 (maximum) $1,754,698 (calendar year cap) | |
42 U.S.C. § 300gg-15(f) (Section 2715 of the Public Health Service Act (PHSA)); 45 C.F.R. § 147.200(e) | Failure to provide summaries of benefits and coverage (SBCs) (see Practice Note, Summaries of Benefits and Coverage under the ACA). | $1,156 |
42 U.S.C. § 300gg-18 (PHSA § 2718); 45 C.F.R. § 158.606 | Violations of the Affordable Care Act's (ACA's) medical loss ratio reporting and rebating rules (see Legal Update, Guidance on Plan Asset Implications of Medical Loss Ratio Rebates). | $116 |
An employer or other entity offering any financial or other incentive for an individual entitled to benefits not to enroll under a group health plan or large group health plan that would be a primary plan. | $9,472 | |
Failure of an entity serving as an insurer, third-party administrator (TPA), or fiduciary for a group health plan to provide information identifying situations where the group health plan is (or was) a primary plan to Medicare to HHS. | $1,211 | |
Failure to comply with the requirements of the PHSA; penalty for violations of rules or standards of behavior associated with insurer participation in the ACA's federally facilitated health insurance exchanges (see Article, Health Insurance Exchange and Related Requirements Under the ACA). | $159 | |
Providing false information on an exchange application. | $28,906 | |
Knowingly or willfully providing false information on an exchange application. | $289,060 | |
Knowingly or willfully disclosing protected information from the exchange. | $28,906 |
Practical Impact; HIPAA Settlement Involving Unencrypted Mobile Devices
As discussed below, HHS often resolves enforcement actions with HIPAA CEs and BAs through its corrective action plan process (which typically involves payment of a monetary amount). However, the agency has also imposed civil money penalties in recent years, for example, in situations involving ongoing patterns of noncompliance or if a CE or BA is nonresponsive to the enforcement process. For examples of civil money penalties being imposed, see Legal Updates:
In another HIPAA development, HHS announced that a New York university medical center will pay HHS $3 million (and carry out an extensive corrective action plan) resulting from impermissible disclosures of protected health information (PHI) following the theft of an unencrypted laptop and loss of an unencrypted jump drive. The medical center was investigated by HHS in 2010 for a similar breach involving an unencrypted jump drive. In this more recent action, HHS's investigation revealed that the medical center failed to:
- Conduct a complete and thorough risk analysis of potential risks to electronic PHI (ePHI).
- Implement policies and procedures governing the receipt and removal of hardware and electronic media containing ePHI from a facility.
- Adopt mechanisms to sufficiently encrypt and decrypt ePHI.
According to HHS, the medical center continued to permit use of unencrypted mobile devices despite the earlier HHS investigation and its own recognition that lack of encryption posed a high risk to ePHI (see Practice Note, HIPAA Enforcement: Settlement Agreements: Stolen or Lost Laptops and Mobile Devices).