This is the fourth in a series of articles regarding the HIPAA Omnibus Final Rule recently released by HHS. For a comprehensive list of other articles on HIPAA by McGuireWoods, click here.
On Jan. 17, 2013, the Department of Health and Human Services (HHS) released the Omnibus Final Rule (Final Rule), interpreting and implementing various provisions of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and the Genetic Information Nondiscrimination Act of 2008 (GINA). The HITECH Act required HHS to modify HIPAA’s Enforcement Rule and HHS’s approach to imposing civil money penalties (CMPs) for violations. Specifically, the HITECH Act significantly increased the amount of CMPs, reduced the number of available affirmative defenses to CMPs, and required imposition of CMPs for all violations due to willful neglect. Additionally, the HITECH Act applied all the above directly to business associates. HHS issued an Interim Final Rule along with a request for comments on Oct. 30, 2009. The Final Rule responds to public comments regarding the Interim Final Rule and makes a variety of revisions to the Interim Final Rule. However, the core provisions regarding penalties remain substantially the same.
Determining the Amount of a CMP
The Final Rule implements the penalty structure mandated by the HITECH Act for violations occurring after Feb. 18, 2009, in which the amount of the penalty increases with the level of culpability, with maximum penalties for violations of the same HIPAA provision of $1.5 million per year. Prior to the enactment of the HITECH Act, the imposition of CMPs under HIPAA was limited to a maximum of $100 per violation and $25,000 for all violations of an identical requirement or prohibition occurring within the same calendar year. The prior penalty structure is still applicable to violations occurring on or before Feb. 18, 2009.
The tiered structure for imposition of CMPs under the HITECH Act and Final Rule distinguishes the level of culpability as follows:
- Unknowing. The covered entity or business associate did not know and reasonably should not have known of the violation.
- Reasonable Cause. The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect.
- Willful Neglect – Corrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery.
- Willful Neglect – Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery.
The corresponding tiers of CMP relating to each level of culpability are as follows:
| Violation Category | Each Violation | Total CMP for Violations of an Identical Provision in a Calendar Year |
| Unknowing | $100 – $50,000 | $1,500,000 |
| Reasonable Cause | $1,000 – $50,000 | $1,500,000 |
| Willful Neglect – Corrected | $10,000 – $50,000 | $1,500,000 |
| Willful Neglect – Not Corrected | At least $50,000 | $1,500,000 |
Under the Final Rule, HHS does not have the authority to automatically impose the maximum CMP for any given violation. Rather, in determining the amount of a CMP, HHS must consider the following:
- The nature and extent of the violation, including the number of individuals affected and the time period during which the violation occurred;
- The nature and extent of the harms resulting from the violation, including whether the violation caused physical harm, whether the violation resulted in financial harm, whether there was harm to an individual’s reputation and whether the violation hindered an individual’s ability to obtain healthcare;
- The history of prior compliance, including previous violations; and
- The financial condition of the covered entity or business associate, including whether financial difficulties affected the ability to comply and whether the imposition of the CMP would jeopardize the ability of the covered entity to continue to provide or pay for healthcare.
Defenses to CMPs
The Final Rule limits the ability of the Secretary to impose CMPs for certain violations of HIPAA occurring after Feb. 18, 2009. Specifically, the Secretary may not impose CMPs for a violation that is not due to willful neglect and that is corrected within 30 days of actual or constructive knowledge of the violation, or during an additional period, as determined by the Secretary to be appropriate based on the nature and extent of the failure to comply. This defense, however, is not available for violations due to willful neglect. Thus, to the extent possible, a covered entity or business associate that discovers a violation of HIPAA that is not due to willful neglect should endeavor to (i) correct the violation within 30 days of the discovery; (ii) document the date on which it discovered the violations; and (iii) document the date on which it implemented the correction in order to establish a basis for asserting the affirmative defense to the imposition of CMPs for the violation. The Final Rule also bars the imposition of CMPs for violations of HIPAA when a criminal penalty has previously been imposed for the same conduct.
Waiver and Discretion
While the Final Rule includes many provisions that amplify the penalties associated with a violation of HIPAA, as discussed above, there is some flexibility built into the Final Rule with respect to imposition of such penalties. The Final Rule gives HHS discretion to waive a CMP for violations that are not due to willful neglect, in whole or in part, to the extent that the penalty is excessive relative to the violation. The waiver power mirrors the tiered CMP structure by providing a mechanism to ensure that the amount of CMP reflects the level of culpability.
Further, CMPs are not the exclusive remedy for violations of HIPAA. Rather, HHS has discretion to use other measures to address HIPAA violations, such as providing direct technical assistance or resolving possible noncompliance through informal means. Prior to the Final Rule, HHS was required to seek resolution through these informal means for all violations, while the Final Rule provides that informal resolution “may” be attempted. Finally, the Final Rule does not allow violations due to willful neglect to be resolved through these informal means without also imposing a CMP.
Applicability of CMPs for Acts of Business Associate Agents
The Final Rule makes a covered entity liable for the violations of its business associates that are its agents, and adds a parallel provision providing for the liability of business associates for the acts of their agents. To avoid state-by-state variations in the law of agency, the Final Rule specifies that whether an agency relationship exists will be established under the federal law of agency. In general, an agency relationship will be found where the potential agent’s actions can be directed or controlled during the course of performance of its duties, regardless of whether actual direction or control occurs. Prior to the HITECH Act, covered entities were not subject to CMPs for violations by an agent who was also a business associate acting under a compliant business associate agreement.