QUESTION: Our company is a TPA that serves as a business associate for employer-sponsored group health plans, which are covered entities under HIPAA. Do the civil monetary penalties for violating HIPAA’s privacy, security, and breach notification rules apply to business associates as well as covered entities? If so, what are the potential penalties?
ANSWER: HHS’s Office for Civil Rights (OCR) is authorized to take direct enforcement action and assess civil monetary penalties against business associates for specified violations of the HIPAA administrative simplification rules. OCR has issued a fact sheet listing the provisions for which business associates may be directly liable (see our Checkpoint article). The list includes privacy rule violations (such as impermissible uses or disclosures, and failure to observe the “minimum necessary” standard); failure to provide breach notification to a covered entity or another business associate; and failure to enter into business associate contracts with business associate subcontractors. Failure to comply with the security rule appears as a single entry on the list, but a footnote clarifies that nearly the entire security rule—including the standards for administrative, physical, and technical safeguards—applies directly to business associates.
The penalties are categorized in tiers with corresponding minimum and maximum penalty amounts based on the culpability of the violator. The penalty tiers and amounts are—
-
Tier 1 (No Knowledge). Where a person does not know, and by exercising due diligence would not have known, that the person violated HIPAA, the penalty range is $100 to $50,000 for each violation.
-
Tier 2 (Reasonable Cause). Where a violation is due to reasonable cause and not willful neglect, the penalty range is $1,000 to $50,000 for each violation. Under HHS regulations, “reasonable cause” means circumstances that would make it unreasonable, despite the exercise of ordinary business care and prudence, to comply with the provision violated.
-
Tier 3 (Willful Neglect—Corrected). Where a violation is due to willful neglect (a conscious and intentional failure to comply or a reckless indifference to the obligation to comply), but was corrected in a timely manner (generally within 30 days of discovery), the penalty range is $10,000 to $50,000 for each violation.
-
Tier 4 (Willful Neglect—Not Corrected). Where a violation due to willful neglect was not corrected in a timely manner, the minimum penalty is $50,000 per violation. There is no maximum penalty per violation.
HHS initially adopted—for each penalty tier—a calendar-year cap of $1.5 million for each violation of an identical requirement or prohibition. However, effective April 23, 2019, HHS reduced the dollar caps for violations of identical provisions in a calendar year for the first three tiers (see our Checkpoint article). The reduced caps are as follows:
-
Tier 1: $25,000
-
Tier 2: $100,000
-
Tier 3: $250,000.
The penalties, including the calendar-year caps, are subject to adjustment for inflation.
OCR has discretion to determine the applicable penalty based on its investigation of the facts, the nature and extent of the violation, and any resulting harm. OCR also has discretion to resolve matters through corrective action without assessment of a penalty, or through a resolution agreement that includes both a corrective action plan and a payment.
For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”) and XX.E (“Civil Monetary Penalties”).
Contributing Editors: EBIA Staff.
