Analysis & commentary by Reed Smith on trends & developments in life sciences & health care law.Life Sciences Legal Update is written by the Reed Smith Life Sciences Health Industry attorneys and offers updates on health care matters.
Over the past few years, genetic testing services have become a widespread phenomenon. Companies providing these services gather certain biological data from consumers who sign up for their services and then analyze this data to ascertain information about the consumer’s ancestry and/or genetic traits, among other things. These companies, however, are typically considered “non-covered entities” (NCEs), meaning the Health Insurance Portability and Accountability Act (HIPAA) generally does not apply to nor protect the collected biological data. This presents a whole host of issues, particularly with respect to the question of how we ensure the data remains protected. Biological data of this nature is susceptible to breaches in light of the format in which it is stored, and some genetic testing companies are disclosing this data to pharmaceutical companies to facilitate research and the development of new drugs.
“The former includes entities that collect or deal in personal health records (PHRs) and cloud-based or mobile software tools that intend to collect health information directly from individuals and enable sharing of such information, such as wearable fitness trackers. The latter includes internet-based social media sites on which individuals create or take advantage of specific opportunities to share their health conditions and experiences.”
Relevant here, the report specifically examined the differences in the security and disclosure standards applicable to covered and non-covered entities, such as the “mHealth technologies” and “health social media” organizations.
Now we fast-forward to June of 2019. Just last month, Senator Amy Klobuchar introduced the Protecting Personal Health Data Act (S. 1842, 116th Congress). The Act specifically applies to “consumer devices, services, applications, and software,” which include “direct-to-consumer genetic testing services.” The Act calls for the Secretary of HHS to “promulgate regulations to help strengthen privacy and security protections for consumers’ personal health data that is collected, processed, analyzed, or used by consumer devices, services, applications, and software.” It also explicitly requires that, in promulgating these regulations, the Secretary keep a number of enumerated considerations in mind, as well as those points outlined in the initial 2016 DHHS report, which is referenced in the Act. If passed, the Act would also provide for the creation of a 15-member task force to monitor and contribute to the development of such regulations and standards.
While it is still very early on in the legislative process, the Act’s introduction will (hopefully) further a very important conversation among legislators regarding the current state of the protections afforded to biological data, and the protections that still need to be implemented to keep up with the modern age. The Act was referred to the Committee on Health, Education, Labor, and Pensions. You can track the Act’s progress here.
In an unprecedented settlement arising from a federal lawsuit in the U.S. District Court for the Northern District of Indiana, a medical software provider agreed to pay $900,000 to 16 state attorneys general (AGs) for alleged violations of a conglomerate of state and federal privacy laws. The settlement represents the resolution of the first-ever multistate data breach suit based on alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as state deceptive trade practices acts, state personal information protection acts, and state breach notifications acts. The matter arose out of a 2015 data breach, in which an Indiana-based electronic health record software provider and its subsidiary (the “EHR Provider”) discovered that hackers used a compromised user ID and password to access the electronic protected health information (“ePHI”) of approximately 3.5 million individuals whose health care providers used the EHR Provider’s software. The information exposed by the breach included names, dates of birth, Social Security numbers, and clinical information.
In the lawsuit, the state AGs asserted that the EHR Provider fostered a security framework that allowed the breach to occur. This framework allegedly failed to take appropriate measures to protect its computer systems and failed to take reasonable steps to prevent breaches. The state AGs claimed that the EHR Provider, as a business associate under the provisions of HIPAA, is required to comply with the HIPAA Security Rule, and had failed on numerous accounts to meet the Security Rule’s enumerated requirements.
Although the sheer number of individuals impacted by this breach is astounding, the real headline is the nationwide collective effort by the state AGs. In addition to wielding their statutory authority to enforce HIPAA, the state AGs also brought claims under their respective data breach and personal information protection statutes. The effect was that of a full-court press – the EHR Provider was accused of 38 separate counts of state law violations all stemming from the same breach. Notably, the settlement with the state AGs was finalized about one month after the EHR Provider agreed to pay $100,000 to the Office of Civil Rights (OCR), the agency tasked with enforcing HIPAA, for alleged HIPAA violations associated with the same breach. In addition to the monetary consequences, the EHR Provider has also agreed to numerous injunctive provisions and a corrective action plan requiring the company to implement and adhere to specific data security policies and procedures.
These settlements should serve as a cautionary tale for healthcare industry participants for several reasons. First, the affected entity in this instance was a business associate governed by HIPAA. To the extent a HIPAA covered entity must take specific measures to protect the ePHI of its patients, so too must the business associate that handles the information on the covered entity’s behalf. Business associates should take stock of their data security programs and ensure that they have procedures in place to monitor, detect, and address data vulnerabilities and breaches, consistent with HIPAA Security Rule requirements. As demonstrated by the federal suit, business associates are not only on OCR’s radar, but also that of the state AGs. HIPAA-covered entities should also pay close attention to the HIPAA compliance of their business associates to ensure that they are adequately protecting the covered entity’s information. To read more on recent OCR settlements with covered entities and business associates and OCR guidance on direct liability of business associates, click here and here.
Second, the increasing reliance on web-based applications for electronic health information management represents not only an opportunity for innovation and progress, but also a threat of increased exposure and liability. Transmission of ePHI via the Internet enables health care organizations to better treat and engage patients, and helps facilitate the beneficial exchange of medical information among providers. Ideally, this electronic network leads to improved healthcare. However, as the electronic network of patients and providers continues to grow, it becomes a more valuable and data-rich target for hackers. This means that covered entities and business associates participating within any given electronic network are often exposed to potential hazards that may impact individuals in multiple states, and are subject to multiple state and federal laws and threats of enforcement action. Thus, attention to data privacy and security must grow in scale with the size of the network managing the highly regulated information.
Lastly, the federal suit and settlement demonstrates that state AGs are willing to utilize resources and combine efforts nation-wide to hold healthcare industry participants accountable for compliance with both state and federal laws when it comes to data protection and privacy of health information. Moreover, as previously noted, electronic networks transmitting health information are growing. Naturally, this growth means the activities of healthcare organizations will reach more and more patients, which means handling highly regulated information in more and more states. Now faced with the no-longer-theoretical prospect of a multistate enforcement action, it is imperative that covered entities and business associates take measures to understand and comply with HIPAA and applicable state laws where their business is conducted.
Trade secrets and technical know-how represent valuable assets, especially for industries like the life sciences. Until recently, the legal protection afforded to these assets was inconsistent or inadequate. The U.S. Federal Defend Trade Secrets Act and the European Trade Secret Directive are a testament to the fact that legislators finally recognized the problem and took action.
Do you have adequate measures in place to safeguard confidentiality of your secrets?
If a third party nonetheless misappropriates them, which remedies will be available to you?
This webinar takes a comparative German/U.S. approach and is relevant for all companies that do business in either of these jurisdictions.
This program is presumptively approved for 1.0 general CLE credit in California, Illinois, New Jersey, Pennsylvania, Texas and West Virginia. For lawyers licensed in New York, this course is eligible for 1.0 credit under New York’s Approved Jurisdiction Policy.
The Department of Justice’s (DOJ) Office of Legal Council (OLC) released an opinion in May 2019 addressing the Food and Drug Administration’s (FDA) jurisdiction over drugs used in capital punishment. A result of a request by the U.S. Attorney General’s Office, the OLC issued an opinion following years of conflict around the use of sodium thiopental in executions. Most importantly, the OLC concluded that the FDA does not have jurisdiction over such articles, and this opinion raises a number of questions regarding FDA’s jurisdiction in other contexts.
Germany is one of the most important patent litigation jurisdictions in Europe, making developments in its patent law very important to life sciences companies operating globally. In recent years, the number of cases regarding claims for the transfer of patents has risen steadily in Germany. If an application is filed by someone who is not entitled to the patent, the inventor (or his successor) can demand that the application or granted patent be transferred to him.
When does that transfer claim become time-barred: Three years, or thirty years after the application has been published? In a recent judgment, the Munich Regional Court discussed this question in considerable detail. The relevant period is just three years – a decision with significant implications. Life sciences companies need to be aware that they must enforce any such claims on an expedited time frame. Depending on the perspective (claimant or defendant?), this is good or bad news. In any event the Munich decision clarifies the legal situation. For more information, see our case note in the upcoming issue of Medizin Produkte Recht. Please note that the article is in German.
The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) recently issued a proposed rule (Proposed Rule) that would significantly scale back the non-discrimination regulations applicable to health care entities under the authority of Section 1557 of the Affordable Care Act (ACA). This Proposed Rule, issued on May 24, 2019 and scheduled to be published in the Federal Register June 14, 2019, would limit to whom and how Section 1557’s non-discrimination provisions apply, how they will be enforced, and what activities will be required to demonstrate compliance. Entities covered by Section 1557 will need to know what the Proposed Rule would change, what would remain the same, and what OCR may emphasize in the future as it takes a new position on nondiscrimination enforcement. Here are five key takeaways.
1. The Proposed Rule would eliminate the definitions section of the regulations, potentially making sweeping changes to whom and how the regulations apply
The Proposed Rule would eliminate the definitions section of the regulations. This includes the current regulatory definition of “on the basis of sex,” which is defined as “discrimination on the basis of pregnancy, false pregnancy, termination of pregnancy, or recovery therefrom, childbirth or related medical conditions, sex stereotyping, and gender identity.”1 That definition has been met with significant challenge, because the definition of “on the basis of sex” under the ACA refers to Title IX of the Education Amendments of 1972, which does not include gender or pregnancy.
In August 2016, a number of health care organizations, along with five states, challenged the definition of “on the basis of sex” in Franciscan Alliance v. Burwell. The plaintiffs argued that, in adding gender and pregnancy, OCR had exceeded its authority by expanding the definition of “sex” beyond Congress’s original intent in Title IX. The judge enjoined OCR from enforcing this interpretation. So, while the holding did not otherwise excuse entities from complying with Section 1557 because the current rule provides citizens who allege discrimination prohibited under Section 1557 a private right of action, OCR may no longer enforce its more expansive definition of “on the basis of sex.” In the Proposed Rule, OCR intends to rely on the interpretation of “sex” under Title IX. By doing so, the regulations issued under the authority of Section 1557 would only apply to biological, binary sex.
The removal of the definitions section could also alter the scope of the rule. Under the current regulations, “covered entities” – those that must comply with the non-discrimination provisions – include all health programs and activities that receive federal financial assistance through HHS; health programs and activities administered by HHS; and health programs and activities administered by entities established under Title I of the ACA2. This current regulatory definition construes “health program or activity” broadly by including not only health services, but also health-related insurance coverage and other health-related assistance in obtaining health services.3
OCR now proposes that Section 1557 apply only to those entities “principally engaged” in the business of providing health care. A “covered entity” would include any health care entity receiving federal financial assistance through HHS, and any program or activity administered by HHS under Title I or by any entity established under Title I. Notably, the Proposed Rule would explicitly remove health insurers, on the basis that insurers are distinct from “health care.” The agency otherwise calls for comments as to the inclusion or exclusion of employee health benefit programs, while also hinting at their possible removal in the final rule.
2. The Proposed Rule would eliminate certain costly administrative requirements, such as taglines
Under the current regulations, covered entities must include “taglines” in significant communications to denote the availability of language assistance services for Limited English Proficiency (LEP) individuals. These taglines must be in the top 15 languages of the entity’s state. The Proposed Rule would eliminate these tagline requirements entirely, based on the notion that the cost of producing such taglines is too high. OCR projects that revoking this requirement would play a large part in saving taxpayers $3.6 billion over the first five years after the rule’s finalization.
3. The Proposed Rule would eliminate the individualized focus of the Section 1557 non-discrimination requirements, instead assessing whether an entity meaningfully complies based, in part, on the size of its LEP population
The Proposed Rule would shift OCR’s case-specific approach to evaluating alleged discrimination against LEP persons, instead focusing on the size of an entity’s LEP population, and the accommodations made to those individuals on-balance. Previously, OCR took a more individualized view of compliance. For example, the current two-factor test for assessing whether an entity grants “meaningful access” to LEP individuals considers (1) the nature and importance of the health program or activity, and (2) the particular communication with the LEP individual.4 OCR also encourages entities to consider the prevalence of the language of the individual, the frequency with which a covered entity encounters the language, the individual’s preferred language, the cost of language access services, and all resources available to the covered entity and its capacity to leverage resources to obtain language access services.
The Proposed Rule moves away from this individualized focus, measuring compliance against the entity’s efforts towards its LEP population en masse. The Proposed Rule provides for a four-factor balancing test to assess whether an entity has meaningfully complied with its obligations, based on: (i) the number or proportion of limited English proficient individuals eligible to be served or likely to be encountered in the eligible service population; (ii) the frequency with which LEP individuals come in contact with the entity’s health program, activity, or service; (iii) the nature and importance of the entity’s health program, activity, or service; and (iv) the resources available to the entity and costs. This flexible standard, which weighs how many LEP individuals the entity sees against the cost of services, changes the view of compliance from an individually-based to a broader community-based inquiry. As currently proposed, query whether a lack of specific language access services may be justified, if an entity rarely sees certain LEP individuals, and those services would require significant resources or cost.
4. The Proposed Rule would retain many of its access and communication provisions for LEP and disabled individuals, and might maintain the requirement for entities to issue assurances of compliance
OCR details in its Proposed Rule a number of requirements that it plans to retain, including provisions on voluntary acceptance of language access services, effective communication for individuals with disabilities, accessibility of buildings and facilities, accessibility of information and communications technology, and the requirement to make reasonable modifications.
The Proposed Rule also preserves, either explicitly (through reference to other law) or impliedly, most of what OCR calls the “disability-rights related definitions.” It notes that some terms are so clear they do not require formal definitions. These terms include “age,” “individual with limited English proficiency,” and “individual with a disability.” As another example, the Proposed Rule retains most of the regulation’s current language as to qualified translators and interpreters, but disposes of the designation of “qualified,” which OCR views as redundant.
OCR additionally contemplates continuing to require covered entities to submit assurances of compliance with Section 1557. Applicants for HHS’s federal financial assistance for health programs or activities, health insurance issuers seeking certification in a state exchange, and states seeking approval to operate in a state exchange would then all continue to submit assurance that the health program or activity will comply with the standards of Section 1557. Still, OCR calls for comment as to whether the rule necessitates these assurances. Further, the lack of clarity as to the definition of “health program or activity” under the Proposed Rule may give rise to greater questions about to whom this assurances of compliance requirement applies.
5. Finally, the Proposed Rule would eliminate the private right of action under Section 1557
Under the Proposed Rule, OCR would continue “faithfully and vigorously” enforcing Section 1557, but its methods of enforcement would be substantially different. The Proposed Rule would delegate to OCR the authority to handle complaints and otherwise take enforcement action, but would remove the private right of action provided to individuals and entities. Additionally, all rule-specific enforcement methods would be removed, and OCR would instead rely on enforcement mechanisms in the underlying statutes – Title VI of the Civil Rights Act of 1964, Title XI of the Education Amendments of 1972, the Age Discrimination Act of 1975, and Section 504 of the Rehabilitation Act of 1973 – along with OCR’s regulations implementing those laws.
Comments on the Proposed Rule will be accepted by OCR 60 days from the date of publication in the Federal Register.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new fact sheet outlining and clarifying violations of HIPAA (Health Insurance Portability and Accountability Act of 1996) for which a business associate can be held directly liable. Published shortly after the release of new guidance from OCR in the form of FAQs, the new fact sheet signifies another example of OCR’s recent efforts to clarify new and outstanding questions from the ever-evolving health care industry.
In the new fact sheet, OCR first recalls the procedural history by which the application of certain aspects of HIPAA extended to business associates – the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and OCR’s 2013 Final Rule modifying the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, which dramatically extended to business associates the need to comply directly with the HIPAA Security Rule and significant aspects of the HIPAA Privacy Rule. Since that time, business associates have made efforts to comply with these HIPAA requirements but with little insight as to whether OCR will come after them (as opposed to their covered entity counterparts) for HIPAA violations, and if so, the types of violations OCR will enforce against business associates.
OCR’s fact sheet finally brings some clarity to business associates contemplating their own liability under HIPAA. Citing to the HITECH Act and 2013 Final Rule, the fact sheet clearly states that “OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules as set forth below” (emphasis in original). These are:
Failure to provide the Secretary of Health and Human Services (HHS) with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
Failure to comply with the requirements of the HIPAA Security Rule.
Failure to provide breach notification to a covered entity or another business associate.
Impermissible uses and disclosures of PHI.
Failure to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement (BAA)) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
Failure, in certain circumstances, to provide an accounting of disclosures.
Failure to enter into BAAs with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such BAAs.
Failure to take reasonable steps to address a material breach or violation of the subcontractor’s BAA.
In one illustrative example, OCR indicated it has enforcement authority directly over a business associate that has agreed in a BAA to satisfy individual rights (e.g., requests from individuals for access to copies of their medical records). Notably, OCR did not say it would enforce a business associate’s failure to sign a BAA with a covered entity (however, it would with respect to BAAs with business associate subcontractors). Rather, OCR’s example demonstrates that the agency will hold business associates accountable for certain contractual obligations it has made with a covered entity, even if such obligations otherwise exceed the scope of business associate requirements under HIPAA.
OCR’s clarification surrounding the direct liability of business associates comes at a time when the agency’s enforcement against business associates has been on a noticeable, steady rise. Just a few days before releasing the new fact sheet, OCR settled allegations of HIPAA Privacy Rule and Security Rule violations for $100,000 with a business associate that provides software and electronic medical record services to healthcare providers. In that case, the business associate self-disclosed to OCR a HIPAA breach following discovery that hackers used a compromised user ID and password to access the ePHI of approximately 3.5 million people. OCR’s investigation revealed that the business associate had not conducted a comprehensive risk analysis, as required by the Security Rule prior to the breach. To read more on recent OCR settlements with business associates, click here.
Life sciences companies doing business in France will be interested in the recent results of Optical Center’s appeal of a penalty assessed by the Commission nationale de l’informatique et des libertés, the French data protection authority, surrounding a data breach. The data breach allowed access to invoices and purchases containing personal and sensitive customer data. Optical Center appealed the initial 250,000 euro penalty, and the French Highest administrative Court (Council of State) lowered the penalty fee to 200,000 euros. The possibility to file an appeal following a decision by the CNIL may be considered a strategic option for companies operating in France.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new set of HIPAA FAQs addressing the applicability of HIPAA to certain health apps and the covered entities and business associates that interact with them. These FAQs build upon prior guidance from OCR that outlined the framework for evaluating whether a health app developer must comply with HIPAA, but tackle a different question – when are covered entities or business associates liable under HIPAA for the subsequent misuse of electronic protected health information (ePHI) by a health app developer?
To answer questions about an app developer’s HIPAA obligations, OCR’s prior guidance focused on the direct-to-consumer nature of the app. OCR concluded that if the patient initiated use of the app, or brought the app to his or her health care provider (i.e., a covered entity), the app developer would not be considered a business associate of that covered entity. Notably, OCR also did not consider the existence of an interoperability agreement between the patient’s health care provider and the app developer to change this analysis. By contrast, in circumstances where a health care provider contracts with the app developer for purposes of patient management services, or for remote patient health counseling, monitoring, or messaging services, and the provider recommends its patients to download the app, then OCR considers the app developer a business associate of the covered entity.
OCR’s new FAQs extend upon this discussion of the business associate relationship between a covered entity and app developer, and highlight the vicarious liability faced by a covered entity if and when an impermissible use or disclosure of ePHI involves the app. The new FAQs reiterate that if the app was not provided by or on behalf of the covered entity, then the covered entity will not be liable for a breach of any information later experienced by the app. However, if the app was developed for, or provided for or on behalf of, the covered entity, then the covered entity could be held responsible for an impermissible use or disclosure of the ePHI in the app. In other words, if OCR determines that an app was developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity for its patients, then the app developer is a business associate of the covered entity, and the covered entity may be liable for an impermissible use or disclosure of ePHI in connection with the app. Importantly, according to the FAQs, the same logic applies to business associates who engage app developers on behalf of covered entities.
Yet, OCR appears to miss a critical element in its analysis of liability to be imposed on a covered entity when a business associate runs afoul of its HIPAA obligations, or on the latter when a business associate subcontractor violates HIPAA. With the promulgation of the Health Information Technology for Economic and Clinical Health Act (HITECH) Final Rule, covered entities became liable for the actions of their business associates, but only so long as a federal common law relationship of agency exists between the two.1 As a result, HITECH made covered entities significantly more responsible for the actions of their business associates, but with careful consideration that not all business associates would be considered agents of covered entities. According to OCR, the agency relationship would be a fact-specific determination, taking into account the terms of the BAA as well as the totality of the circumstances of the relationship between the two entities.
Now, with its recently released FAQs, OCR has signaled its intention to pay closer attention to the fault attributable to a covered entity when a business associate breaches the integrity or security of a patient’s ePHI. The requirement for an agency relationship between the covered entity and business associate places some guardrails around the possibility of vicarious liability, but also makes the need to clearly define the relationship between the parties critically important. OCR’s new focus reflects the importance of covered entities identifying their business associates correctly and contracting with them appropriately.
From a practical perspective, this is not as easy as it may sound. Health care providers and other entities in the health care industry are becoming structurally more complicated as many such entities no longer act solely as HIPAA-covered entities or business associates. For example, health care providers may provide technology and related services as a business associate to other covered entities. Or, as another example, a covered entity could have a dual relationship with another covered entity: one relationship where they exchange ePHI to provide health care to mutual patients and another where they act as a business associate. Moreover, covered entities and business associates may be hybrid entities when they provide technology and related services as part of and separate from their HIPAA-regulated roles.
The technology arrangements may also be complicated and tangle the agency analysis assessing the potential risk of vicarious liability. Application developers may provide technology solutions with various levels of interaction with HIPAA-regulated entities, including off-the-shelf, configurable, or fully customized products and services. The technological details of the solution may be integral to the agency analysis for vicarious liability. For example, is an agency relationship created when an entity is providing a cloud-based platform that has a standard foundation for all customers but includes the ability for both the application developer and the covered entity to configure and customize some portions of it? Is a covered entity insulated from vicarious liability if it uses a technology solution that it can configure for its purposes, but exposed to vicarious liability if it requests customizations from an application developer that will have the exact same result? Should a covered entity use out-of-the-box technology solutions that may not ideally fit its business operations (possibly creating risk) rather than work with a third party to build a solution that better meets its operational objectives but increases the risk of vicarious liability?
We work with HIPAA-regulated entities to analyze how these relationships with technology providers can impact their HIPAA risk exposure. These FAQs seem to further muddy an already murky legal analysis by ignoring the critical agency element limiting the applicability of vicarious liability, and emphasize that HIPAA-regulated entities should pay close attention to whether they are creating an agency relationship with technology providers. Such entities may significantly increase their HIPAA-related risk if they treat technology-related agreements as business-as-usual deals. While the legal agency analysis can be complicated, they should thoroughly understand the parties’ roles, the technology involved, the actual tasks performed by the application developers, and other factors so they can accurately assess the potentially significant impact on their HIPAA risk exposure from using technology provided by third parties.
1 45 CFR 160.402(c)(1). Interestingly, in another FAQ that predates HITECH, but was reviewed by OCR subsequent to the HITECH Final Rule, OCR did not consider a covered entity to be liable for, or required to monitor, the actions of its business associates if the parties had signed a business associate agreement (BAA), and the covered entity took reasonable steps, to cure a breach in the event one occurred.
On Friday, April 26, 2019, the U.S. Department of Health and Human Services (“HHS”) filed a Notice of Enforcement Decision (the “Notice of Enforcement”), confirming the agency’s reconsideration of its prior interpretation of the Health Information Technology for Economic and Clinical Health Act’s (the “HITECH Act’s”) penalty structure. In doing so, HHS announced the abandonment of a previous annual penalty cap that did not vary based on an entity’s level of culpability.
Effective immediately, the maximum penalty that the HHS Office for Civil Rights (“OCR”) will impose for a particular violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) that occur within a single calendar year has been generally, and significantly reduced. Except for violations that are due to a regulated entity’s willful neglect and have not been timely corrected (which maintain the annual penalty limit of $1.5 million), OCR will impose a lesser annual limit to violations that occur (a) without a regulated entity’s knowledge – and with reasonable diligence it would not have known about the violation; (b) due to reasonable cause and not willful neglect; and (c) due to willful neglect that is timely corrected.
The Notice of Enforcement does not mark the first occasion in which HHS acknowledged ambiguity under the HITECH Act’s tier-based penalty scheme. In 2013, HHS noted the existence of multiple possible legislative interpretations, ultimately issuing a final rule that applied the same cumulative annual limit ($1.5 million) across four violation categories, as illustrated in the chart below:
2013 HHS Interpretation
Willful Neglect — Not Corrected
Under the Notice of Enforcement, HHS confirmed its determination that “the better reading” instead involves progressively applying annual limits in accordance with the following revised chart:
Revised HHS Interpretation under the 2019 Notice of Enforcement
Willful Neglect — Not Corrected
HHS confirmed that the agency will use the foregoing penalty tier structure, as adjusted for inflation, until further notice.
The revised penalty structure reinforces the notion that prospective HIPAA compliance efforts can have a significant monetary impact in terms of future enforcement.