Until recently, the annual limit for civil monetary penalties (CMP) that could be levied against covered entities and business associates in violation of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations, as amended from time to time (collectively, HIPAA) was $1,500,000. On April 30, 2019, the U.S. Department of Health and Human Services (HHS) released a notice of enforcement discretion lowering the annual CMP caps for certain types of penalties imposed for violating HIPAA. Given 2018 was HHS’ all-time record year for HIPAA enforcement ($28.7 million in penalties collected), the new annual caps seemingly appear to provide relief to covered entities and business associates. The reduced annual caps certainly lower the financial risks for covered entities and business associates that have taken steps to meet HIPAA’s requirements.
However, covered entities and business associates should not get too excited because the reduction in the annual CMP caps are limited in many ways, including, as follows: Continue Reading