BIRMINGHAM, Ala. (April 30, 2019)—On Friday, The Department of Health and Human Services (HHS) released new interpretations to the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 regarding HIPAA violations.
The HITECH Act outlined four tiers of violations for covered entities by level of culpability:
- No knowledge that HIPAA was being violated
- Reasonable cause
- Willful neglect—corrected
- Willful neglect—not corrected in a timely fashion
HHS defines the second tier of reasonable cause as an organization that either knew or should have known about the violation had they applied a reasonable amount of due diligence, but the violation fell short of willful neglect.
In 2009, and again in 2013, HHS interpreted the HITECH Act’s guidance as all levels should have the same penalties for HIPAA violations. Violations resulted in an annual cap of $1.5 million, regardless of tier.
2018 marked a record year for HIPAA enforcements, with $28.7 million collected.
Under the new structure, covered entities that prove there was no knowledge of the HIPAA violation would have an annual cap of $25,000 in fines. Those entities who commit willful neglect and do not correct the issue would still face the maximum $1.5 million cap.