Some Things Are Inevitable … Death, Taxes, and Rising HIPAA Penalties
It used to be easy to calculate HIPAA penalties in your head—$50,000 per violation and up to $1.5 million per calendar year for multiple violations of the same HIPAA provision. But those days of easy math are long gone since HHS has been increasing its HIPAA penalty amounts for inflation since 2016.
On November 15, 2021, HHS published its annual inflation adjustment for a range of civil monetary penalties, including those that HHS may impose under HIPAA. Until a new inflation adjustment is published (likely next autumn), HIPAA violations are now subject to penalties of up to $60,226 per violation and up to $1,806,757 per calendar year for multiple violations of the same HIPAA provision. Note that violations of multiple HIPAA provisions occurring over multiple calendar years can significantly exceed this $1.8 million amount.
But one big question on HIPAA penalties remains …
The inflation adjustment does not address the status of the Trump administration's Notice of Enforcement Discretion regarding HIPAA penalties from April 30, 2019. The HITECH Act sets forth four tiers of culpability for HIPAA violations, ranging from those done with a lack of knowledge to those that are due to willful neglect and not timely cured. For the first three tiers of culpability, the statute provides a minimum penalty per violation and corresponding calendar-year cap for multiple violations of the same provision, and a maximum penalty per violation and corresponding calendar-year cap for multiple violations of the same provision.
What is unclear when calculating penalties for a given tier is whether to apply the minimum calendar-year cap or the maximum calendar-year cap. Under the Obama administration, HHS promulgated regulations that relied on the maximum calendar-year caps, resulting in the following range of penalties (these amounts were before Congress authorized inflation updates in 2016):
Culpability |
Minimum Penalty/Violation |
Maximum Penalty/Violation |
Annual Limit |
| No Knowledge | $100 | $50,000 | $1,500,000 |
| Reasonable Cause | $1,000 | $50,000 | $1,500,000 |
| Willful Neglect - Timely Corrected | $10,000 | $50,000 | $1,500,000 |
| Willful Neglect - Not Timely Corrected | $50,000 | $50,000 | $1,500,000 |
In 2019, the Trump administration reconsidered this interpretation and reached a different conclusion. OCR issued a Notice of Enforcement Discretion finding that the better interpretation is to apply the lower annual caps (even though this creates a seemingly inconsistent result for the first tier as a single violation is subject to a penalty of $50,000 but multiple violations of the same provision are capped at $25,000). The Notice of Enforcement Discretion resulted in the following revised penalty amounts (the Notice stated the below amounts but acknowledged that they were subject to the inflation adjustments):
Culpability |
Minimum Penalty/Violation |
Maximum Penalty/Violation |
Annual Limit |
| No Knowledge | $100 | $50,000 | $25,000 |
| Reasonable Cause | $1,000 | $50,000 | $100,000 |
| Willful Neglect - Timely Corrected | $10,000 | $50,000 | $250,000 |
| Willful Neglect - Not Timely Corrected | $50,000 | $50,000 | $1,500,000 |
This issue also was litigated in the 5th Circuit in University of Texas M.D. Anderson Cancer Center v. HHS. M.D. Anderson challenged OCR's proposed civil monetary penalties that relied upon the higher annual limits. HHS, under the Trump administration, conceded to M.D. Anderson's position, agreeing that the better statutory interpretation is the lower annual limits. Not surprisingly given the concession, the court sided with M.D. Anderson's position.
Despite the outstanding Notice of Enforcement Decision and the 5th Circuit's decision in M.D. Anderson, the regulations never were amended and continue to provide for the higher annual limits. Accordingly, the November 15, 2021, inflation adjustment reflects the higher annual limits, not the lower annual limits HHS conceded to in the litigation. What is not clear is whether OCR, under the Biden administration, is in any way bound to follow the prior administration's Notice of Enforcement Discretion and utilize the lower annual limits.
Until the 2019 Notice is formally withdrawn, covered entities and business associates have an argument that OCR is bound by its Notice and may not impose penalties under the higher limits. But there is risk that OCR could take a contrary position and seek to impose the higher penalty amounts that remain in the regulation. The least risky course would be to assume that OCR will impose the higher penalty amounts.
Of course, your best bet is to avoid any HIPAA violations at all and not have to worry about which position OCR might take. But, despite best efforts, some things may be inevitable: death, taxes, and HIPAA violations caused by curiosity or carelessness.