Printer Friendly, PDF & Email

OCR lowers annual penalty caps for certain HIPAA violations

Adam H. Greene (adamgreene@dwt.com) is a Partner in the Washington, DC, office of Davis Wright Tremaine LLP and co-chair of its Health Information Practice Group. Rebecca L. Williams (beckywilliams@dwt.com) is a Partner in the Seattle, WA, office of Davis Wright Tremaine LLP and co-chair of its Health Information Practice Group. Austin Smith (v-austinsmith@dwt.com) is a Project Attorney in the Washington, DC, office of Davis Wright Tremaine LLP.

On April 30, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced that it is lowering the maximum total penalties it may assess against covered entities and business associates for multiple violations of a single Health Insurance Portability and Accountability Act (HIPAA) provision in a single calendar year.[1] Although OCR is likely to continue to vigorously enforce HIPAA, covered entities and business associates now have stronger incentives to demonstrate that any HIPAA violations they face were due to a lack of knowledge or to reasonable cause, as well as to take actions to correct any violations within 30 days. These steps may allow the entity to qualify for significantly lower annual caps on the penalties they face. Before this announcement, a covered entity or business associate could have faced up to $1.7 million in penalties in a single year for violations of the same HIPAA provision that it reasonably did not know about.[2] Now that maximum is being lowered to $28,526 per year—a 6,000% decrease!

THIS DOCUMENT IS ONLY AVAILABLE TO MEMBERS.
PLEASE LOG IN OR BECOME A MEMBER