Counting HIPAA Violations

Final Rule

This final rule retains the revised penalty structure in § 160.404(b) as implemented by the IFR. We continue to believe the penalty amounts are appropriate and reflect the most logical reading of the HITECH Act, which provides the Secretary with discretion to impose penalties for each category of culpability up to the maximum amount described in the highest penalty tier.

With respect to those comments expressing concern about the discretion available to the Secretary under the adopted scheme we emphasize again that the Department will not impose the maximum penalty amount in all cases but will rather determine the amount of a penalty on a case-by-case basis, depending on the nature and extent of the violation and the nature and extent of the resulting harm, as required by the HITECH Act, as well as the other  factors set forth at § 160.408. In response to those commenters particularly concerned about the impact of penalties on smaller entities, we note that the other factors include both the financial condition and size of the covered entity or business associate. These factors are discussed more fully below.

In addition, with respect to comments expressing specific concern about fairness regarding those violations of which an entity did not know or by exercising reasonable diligence would not have known or for which there was a reasonable cause and not willful neglect, we note that in both cases an entity may establish that an affirmative defense applies under § 160.410, where the entity corrects the violation within 30 days from the date the entity had knowledge of the violation or with the exercise of reasonable diligence would have had knowledge of the violation, or during a period determined appropriate by the Secretary based upon the nature and extent of the entity’s failure to comply. These affirmative defenses are described more fully below.

In addition, Section 13410(d) of the HITECH Act and Section 1176(a) of the Social Security Act, give the Secretary further ability to waive a civil money penalty, in whole or in part, under certain circumstances. Thus, to the extent an entity fails to correct such violations within the mandated time frame, the Secretary may also utilize her waiver authority provided for at § 160.412, to waive the penalty amount in whole or in part, to the extent that payment of the penalty would be excessive relative to the violation.

Further, pursuant to 42 U.S.C. 1320a–7a(f), the Secretary always has the discretion to settle any issue or case or to compromise the amount of a civil money penalty assessed for a violation of the HIPAA Rules.

Finally, in the event an entity believes that a civil money penalty has been imposed unfairly, the entity could exercise its right under § 160.504 to appeal the imposition of a civil money penalty in a hearing before an administrative law judge.

Response to Other Public Comments

Comment: We received a few comments in response to the IFR and NPRM requesting clarification as to how the Secretary will count violations for purposes of calculating civil money penalties. One commenter requested clarification as to how the numbers of ‘‘occurrences’’ are determined, suggesting that penalties could be very significant, and vary significantly, depending on the counting methodology utilized. The Department also received one comment asking whether a violation is defined as one event. This commenter queried, for example, whether the loss of unsecured electronic media would be considered as a single violation, even if the media contained several hundred records. The commenter also asked for confirmation that $1,500,000 is the aggregate limit of all fines for all violations in a given calendar year which would apply across an entire enterprise, regardless of violations occurring in different business units.

Response: How violations are counted for purposes of calculating a civil money penalty vary depending on the circumstances surrounding the non-compliance. Generally speaking, where multiple individuals are affected by an impermissible use or disclosure, such as in the case of a breach of unsecured protected health information, it is anticipated that the number of identical violations of the Privacy Rule standard regarding permissible uses and disclosures would be counted by the number of individuals affected. Further, with respect to continuing violations, such as lack of appropriate safeguards for a period of time, it is anticipated that the number of identical violations of the safeguard standard would be counted on a per day basis (i.e., the number of days the entity did not have appropriate safeguards in place to protect the protected health information). Note also that in many breach cases, there will be both an impermissible use or disclosure, as well as a safeguards violation, for each of which the Department may calculate a separate civil money penalty.

We refer readers to prior Enforcement Rule preambles for additional discussion on the counting methodology. See 70 FR 20224, 20233–55 (April 18, 2005) and 71 FR 8390, 8404–07 (February 16, 2006).

With respect to whether the aggregate CMP limit of $1.5 million would apply to all violations in a given calendar year, across an entire enterprise, regardless of violations occurring in different business units of the enterprise, we note that the Enforcement Rule’s penalty scheme, and thus the limit for identical violations in a calendar year applies to the legal entity that is a covered entity or business associate. However, as we indicated above, a covered entity or business associate may be liable for multiple violations of multiple requirements, and a violation of each requirement may be counted separately. As such, one covered entity or business associate may be subject to multiple violations of up to a $1.5 million cap for each violation, which would result in a total penalty above $1.5 million.