HHS Slashes Maximum Annual HIPAA Breach Penalties

The U.S. Department of Health and Human Services (HHS) has slashed the maximum annual penalty limits for entities that have violated federal health information standards but were not aware of the problems or have done their best to address the problems.

The Health Information Technology for Economic and Clinical Health (HITECH) Act set the maximum annual fine for violations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) health information protection standards at $1.5 million.

HHS says in a new notice that it will now cut the annual maximum sharply for three different types of HIPAA health information protection violations.

The notice appeared today in the Federal Register. The federal government uses the Federal Register, which is an official publication, to seek public documents on draft regulations and put completed regulations, and completed notices and guidelines, into effect.

Here's what the new annual limits will be for those three categories:

Entities that made a reasonable effort to detect problems and did not know anything was wrong: $25,000.
Entities affected by violations that were due to a "reasonable cause," rather than neglect: $100,000.
Entities affected by violations that were due to "willful neglect," but have corrected the problems: $250,000.

For entities found guilty of willful neglect that have not corrected the problems, the annual maximum penalty for HIPAA violations will continue to be $1.5 million, according to the new notice.

HHS is keeping the minimum and maximum penalties for each HIPAA violation that have been in effect for the past few years in place.

Those amounts range from a minimum of $100 per violation, for an entity that made reasonable efforts to detect problems but did not know anything was wrong, up to a maximum of $50,000, for all types of HIPAA violations.

HHS adopted the penalty maximums that had been in effect in 2013, during the administration of former President Barack Obama.

HHS officials say in the notice that they believe they have the discretion to adjust the penalty amounts imposed.

"This exercise of enforcement discretion is effective immediately," HHS officials say.

HHS officials say that, in 2013, commenters argued that the maximum penalty levels should be different for entities with different levels of culpability.

The penalty schedule has the most direct effect on physicians, hospitals and health insurers, but insurers may also use personal health information subject to HIPAA and HITECH rules in medical underwriting programs.

Federal regulators classify insurers and other entities that hold "protected health information," or PHI, as "covered entities."

Agents and brokers who sell health insurance, life insurance, disability insurance, long-term care insurance and other medically underwritten products may end up holding protected health information, or PHI, in connection with the underwriting process. Those producers are classified as "business associates" of the covered entities for HIPAA and HITECH enforcement purposes.

Covered entities who see producers as PHI regulation business associates typically spell out the terms of those relationships in written agreements with the producers.