QUESTION: How does HHS determine the potential number of HIPAA administrative simplification violations for purposes of assessing civil monetary penalties?
ANSWER: HHS may impose a civil monetary penalty on a covered entity (or business associate) if it determines that the covered entity (or business associate) has violated a HIPAA administrative simplification provision. The penalties apply to all administrative simplification provisions (e.g., privacy, security, electronic transactions), and a violation is a failure to comply with any requirement or prohibition established under the HIPAA statute or the HIPAA administrative simplification regulations. HHS has significant leeway in determining exactly what constitutes a failure to comply with a requirement or prohibition. Since many administrative simplification requirements appear in more than one place in the HIPAA statute and regulations, HHS has provided some guidance on determining the number of violations. Here are highlights:
Violations of Overlapping Provisions. If a requirement or prohibition in one administrative simplification provision is repeated in a more general form in another administrative simplification provision “in the same subpart” of the regulations, a civil monetary penalty may be imposed for a violation of only one of these administrative simplification provisions. For example, if a covered entity failed to comply with the implementation specifications relating to minimum-necessary uses of protected health information (PHI), there would also be a failure to comply with the general standard relating to minimum-necessary requirements. However, these provisions are in the same subpart, so HHS would treat the failure as a violation of only one provision, not both. On the other hand, there is no limitation on counting violations of overlapping provisions that appear in different subparts of the administrative simplification regulations. For example, if a covered entity were to sell its used computers without making sure that all PHI had been removed, HHS might find violations of several separate obligations under the security and privacy rules (these rules are in different subparts of the regulations).
Violations of Non-Overlapping Provisions. There is no limitation on counting violations of non-overlapping provisions of the same subpart. For example, if a covered entity were to use PHI in a manner that is not permitted by the privacy rule, it might also violate the privacy rule’s minimum-necessary or reasonable safeguard requirements.
Violations of Identical Provisions. HHS has significant leeway in determining how many violations of an identical provision have occurred. In determining the number of identical violations, HHS looks at the substantive provision involved and what the covered entity is legally obligated to do—such as its obligation to act in a certain manner, or within a certain time, or to act or not act with respect to certain persons. For example, if a covered entity enters into business associate contracts with five different companies, and each contract omits two provisions required by the privacy rule, there could be a total of ten violations—five violations of each of the two privacy rule provisions. For violations of a continuing nature, each day could be counted as a violation, and the number of violations could grow quickly.
The civil monetary penalties are categorized in tiers with corresponding minimum and maximum penalty amounts based on the violator’s culpability (see our Checkpoint Question of the Week). The penalties, including the calendar-year caps, are subject to adjustment for inflation.
For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XX.E (“Enforcement of Privacy, Security, and EDI Rules: Civil Monetary Penalties”).
Contributing Editors: EBIA Staff.