PARCA eNews – April 30, 2019 – The Department of Health and Human Services (HHS) issued a change regarding civil penalties for HIPAA violations as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Under the current regulation penalties for HIPAA violations are levied on four tiers based on the level of knowledge of the breach by the covered entity ranging from 1-4:
- No knowledge that HIPAA rules were violated while exercising a reasonable level of due diligence
- Reasonable Cause that the entity would have known a violation occurred had a reasonable level of due diligence been exercised
- Willful neglect but with corrective action taken
- Will neglect with no corrective action taken
In 2013 the table of fines were capped at a maximum of $1.5 million for each tier. Following criticism of the same cap for all four tiers HHS violated the intent of the HITECH Act by imposing a $1.5 million cap for every penalty tier.
Following criticism of that table HHS has amended the penalty enforcement table as follows:
Culpability
|
Min. penalty |
Max. penalty |
Annual limit |
Tier 1 No knowledge
|
$100 |
$50,000 |
$25,000 |
Tier 2 Reasonable cause
|
$1000 |
$50,000 |
$100,000 |
Tier 3 Willful neglect corrected
|
$10,000 |
$50,000 |
$250,000 |
Tier 4 Willful neglect not corrected
|
$50,000 |
$50,000 |
$1,500,000 |
|
For more information view the full-text HHS notice
Source: April 30, 2019 Federal Register
No comments:
Post a Comment