Takeaway: The penalties for privacy violations of HIPAA under the HITECH Act have been reduced and redefined based on the type of information violation under the Trump Administration.
Compliance with the Health Insurance Portability and Accountability Act (HIPAA) requires entities that come into contact with Protected Health Information (PHI) to ensure technical, physical, and administrative safeguards to that information. This regulation essentially covers data privacy for entities in the healthcare industry.
Prior to last week, being caught in violation of HIPAA could cost an entity up to $1.5 million per violation. This was the interpretation of HIPAA penalties that the Obama Administration had previously defined in the Health Information Technology for Economic and Clinical Health Act (HITECH). However, last week, the Department of Health and Human Services under the Trump Administration decided that the proper interpretation of the penalties under HIPAA would apply lower caps for lesser violations of the act.
There are now four different caps for violations of HIPAA outlined in the HITECH Act. First, if there was no knowledge of the violation, the penalty may be from $100 – $50,000 per violation and an annual limit of $25,000. Second, if the violation is due to reasonable cause, not willful neglect, the penalty is now $1,000 – $50,000 per violation and an annual limit of $100,000. Third, if the violation was based on willful neglect, but was timely corrected, the penalty is now $10,000 – $50,000 per violation and an annual limit of $250,000. Finally, if the violation was based on willful neglect and the person or entity did not correct the violation in a reasonable amount of time, the penalty is $50,000 per violation and an annual limit of $1,500,000.