The Enforcement Rule

The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the specifications for a Civil Monetary Penalty (“CMP”) that may be imposed for HIPAA violations and procedures for hearings.

The HIPAA Omnibus Rule

The HIPAA Omnibus Rule confirmed the increased amount of a civil monetary penalty (“CMP”) previously established on an interim basis that may be assessed for violations of HIPAA. A Business Associate (“BA”) is now directly subject to the Enforcement Rule and subject to assessment of CMPs. A Covered Entity (“CE”) is also liable for violations by a BA that is legally defined as an “agent” of the CE.

Breaches Affecting 500 Or More Persons

The U. S. Department of Health and Human Services (“HHS”) publishes breaches of unsecured protected health information affecting 500 or more persons or more on its web site – a location often called the “Wall of Shame”.  To visit the Wall of Shame click here.

Willful Neglect

The U. S. Department of Health and Human Services (“HHS”) is required to investigate violations if circumstances indicate a possible violation due to willful neglect.  However, HHS has discretion regarding whether to review possible violations when circumstances do not indicate it was due to willful neglect and HHS has additional discretion to choose between informal resolution and formal resolution of investigations.

Categories of Violations and Penalties – adjusted for 2020

Type of Violation

Penalty Ranges

Annual Limit – Identical Violation

1. Unknowing Violation

A CE or BA did not know and by reasonable diligence would not have known of the violation.

$ $119 to $ 59,522

$25,630

HHS Discretionary Cap

2. Reasonable Cause

A CE or BA committed a violation due to reasonable cause not willful neglect

$1,191 to $59,522

$102,522

HHS Discretionary Cap

3. Willful Neglect, Corrected

A CE or BA committed a violation due to willful neglect but corrected in a timely manner.

$11,904 to $59,522

$256,305

HHS Discretionary Cap

4. Willful Neglect,  Uncorrected

A CE or BA committed a violation due to willful neglect and not corrected in a timely manner.

At least $59,522

$1,785,651

Affirmative Defenses

Violation Not Due to Willful Neglect and Corrected within 30 Days

HHS may decide not to impose a CMP on a CE or BA for violations occurring on or after February 18, 2009 for a violation that is not due to willful neglect and is corrected within 30 days of actual or constructive knowledge of the violation, or a longer period if HHS deems such a longer period is reasonable and appropriate.

Recommended Action Steps when Violation Not Due to Willful Neglect

A CE or BA that discovers a violation not due to willful neglect should:

  1. Document the date on which it discovered the violation;
  2. Document the circumstances establishing lack of willful neglect;
  3. Correct the violation within 30 days of discovery; and
  4. Document all investigative and corrective actions.

Violations Subject To Previous Criminal Penalty

Another affirmative defense, although not a happy one, is that HHS may not impose a CMP for a violation that previously had been subject to a criminal penalty