The Secretary of Health and Human Services has been given the authorization through HIPAA HITECH and the final HIPAA Omnibus Rule to impose civil monetary penalties (CMPs) for violations of the Rules. These penalties apply to medical practices and their business associates. You and your business associates must train your employees to be aware of these penalties so they will know that they are subject to them.
The tiered structure for the imposition of CMPs under the HITECH Act and Final Rule distinguishes the level of culpability as follows:
- Unknowing - The covered entity or business associate did not know and reasonably should not have known of the violation.
- Reasonable Cause - The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect.
- Willful Neglect Corrected - The violation was the result of conscious, intentional failure, or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery.
- Willful Neglect Uncorrected - The violation was the result of conscious, intentional failure, or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery.
The corresponding tiers of CMP relating to each level of culpability are as follows:
| Violation Category |
Each Violation |
Total CMP for Violations of an Identical Provision in a Calendar Year |
| Unknowing |
$100 to $50,000 |
$1,500,000 |
| Reasonable Cause |
$1,000 to $50,000 |
$1,500,000 |
| Willful Neglect Corrected |
$10,000 to $50,000 |
$1,500,000 |
| Willful Neglect Not Corrected |
At least $50,000 |
$1,500,000 |
Under the Final Rule, HHS does not have the authority to automatically impose the maximum CMP for any given violation. Rather, in determining the amount of a CMP, HHS must consider the following:
- The nature and extent of the violation, including the number of individuals affected and the time period during which the violation occurred;
- The nature and extent of the harms resulting from the violation, including whether the violation caused physical harm, whether the violation resulted in financial harm, whether there was harm to an individual's reputation and whether the violation hindered an individual's ability to obtain healthcare;
- The history of prior compliance, including previous violations; and
- The financial condition of the covered entity or business associate, including whether financial difficulties affected the ability to comply and whether the imposition of the CMP would jeopardize the ability of the covered entity to continue to provide or pay for healthcare.
Defenses to CMPs
The Final Rule limits the ability of the Secretary to impose CMPs for certain violations of HIPAA occurring after Feb. 18, 2009. Specifically, the Secretary may not impose CMPs for a violation that is not due to willful neglect and that is corrected within 30 days of actual or constructive knowledge of the violation, or during an additional period, as determined by the Secretary to be appropriate based on the nature and extent of the failure to comply. This defense, however, is not available for violations due to willful neglect. Thus, to the extent possible, a covered entity or business associate that discovers a violation of HIPAA that is not due to willful neglect should endeavor to (i) correct the violation within 30 days of the discovery; (ii) document the date on which it discovered the violations; and (iii) document the date on which it implemented the correction in order to establish a basis for asserting the affirmative defense to the imposition of CMPs for the violation.
The Final Rule also bars the imposition of CMPs for violations of HIPAA when a criminal penalty has previously been imposed for the same conduct.