Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties, 18151-18153 [2019-08530]

Download as PDF 18151 Federal Register / Vol. 84, No. 83 / Tuesday, April 30, 2019 / Rules and Regulations Gas Industry, EPA–453/B–16–001’’ at the end of the table. § 52.2270 The revisions and addition read as follows: * Identification of plan. * * (c) * * * * * EPA APPROVED REGULATIONS IN THE TEXAS SIP State approval/ submittal date State citation Title/subject * Section 115.112 ...... * Control Requirements .... * * Section 115.114 ...... * Inspection Requirements * * Section 115.118 ...... * Recordkeeping Requirements. Compliance Schedules .. * Section 115.119 ...... * * * * * * EPA approval date * * 4/30/2019, [Insert Federal Register citation]. * * 12/15/2016 * * 4/30/2019, [Insert Federal Register citation]. * * 12/15/2016 * * 4/30/2019, [Insert Federal Register citation]. 4/30/2019, [Insert Federal Register citation]. * * * * 12/15/2016 12/15/2016 * * Explanation * * (e) * * * EPA APPROVED NONREGULATORY PROVISIONS AND QUASI-REGULATORY MEASURES IN THE TEXAS SIP Name of SIP provision Applicable geographic or non-attainment area State submittal/ effective date * * * HGB VOC and NOX RACT HGB 2008 Ozone NAAQS Finding, except for the non-attainment area. 2016 EPA-issued CTG for the Oil and Natural Gas Industry, EPA–453/B–16– 001. * * * * * [FR Doc. 2019–08710 Filed 4–29–19; 8:45 am] BILLING CODE 6560–50–P DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Part 160 Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties Office of the Secretary, HHS. Enforcement Discretion. AGENCY: ACTION: This notification is to inform the public that the Department of Health and Human Services (HHS) is exercising its discretion in how it applies HHS regulations concerning the assessment of Civil Money Penalties (CMPs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as such provision was amended by the amozie on DSK9F9SC42PROD with RULES SUMMARY: VerDate Sep<11>2014 17:09 Apr 29, 2019 Jkt 247001 * 12/29/2016 EPA approval date Comments * 4/30/2019, [Insert FR page number where document begins]. * * Vegetable Oil Mfg category, previously sited under negative declarations for HGB area, is added to RACT determinations. Health Information Technology for Economic and Clinical Health (HITECH) Act. Current HHS regulations apply the same cumulative annual CMP limit across four categories of violations based on the level of culpability. As a matter of enforcement discretion, and pending further rulemaking, HHS will apply a different cumulative annual CMP limit for each of the four penalties tiers in the HITECH Act. DATES: This exercise of enforcement discretion is effective indefinitely. FOR FURTHER INFORMATION CONTACT: Rachel Seeger at (202) 619–0403 or (800) 537–7697 (TDD). SUPPLEMENTARY INFORMATION: I. Background When enacting the HIPAA administrative simplification provisions, Congress authorized HHS to impose a maximum CMP of $100 for each violation, subject to a calendar year cap of $25,000 for all violations of an PO 00000 Frm 00019 Fmt 4700 Sfmt 4700 identical requirement or prohibition. Public Law 104–191, section 262(a), 110 Stat. 1936, 2028 (Aug. 21, 1996) (adding Social Security Act section 1176(a)(1), 42 U.S.C. 1320d–5(a)(1)). HHS issued an interim final rule (IFR) on April 17, 2003, setting forth the procedural requirements that the Department would follow in enforcing HIPAA and its regulations, including procedures for providing notice, managing hearings, and issuing administrative subpoenas. HHS issued a proposed rule on the substantive enforcement provisions on April 18, 2005. HIPAA Administrative Simplification: Enforcement; Proposed Rule, 70 FR 20224 (April 18, 2005). HHS issued a HIPAA enforcement final rule on February 16, 2006, which, among other things, incorporated penalties consistent with the $100 per violation cap and $25,000 annual cap in HIPAA. HIPAA Administrative Simplification: E:\FR\FM\30APR1.SGM 30APR1 18152 Federal Register / Vol. 84, No. 83 / Tuesday, April 30, 2019 / Rules and Regulations Enforcement; Final Rule, 71 FR 8390 (Feb. 16, 2006). In February 2009, Congress enacted the HITECH Act (as part of the American Recovery and Reinvestment Act of 2009) that, among other things, strengthened HIPAA enforcement by increasing minimum and maximum potential CMPs for HIPAA violations. Public Law 111–5, section 13410, 123 Stat. 115, 271 (Feb. 17, 2009) (amending Social Security Act section 1176(a)(1), 42 U.S.C. 1320d–5(a)(1)). Section 13410(d) of the HITECH Act established four categories for HIPAA violations, with increasing penalty tiers based on the level of culpability associated with the violation: (1) The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision; (2) the violation was due to reasonable cause, and not willful neglect; (3) the violation was due to willful neglect that is timely corrected; and (4) the violation was due to willful neglect that is not timely corrected. Thus, if a covered entity did not know that it violated HIPAA, and, through due care, would not have known, the Secretary shall 1 impose ‘‘a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(A) but not to exceed the amount described in paragraph (3)(D)[.]’’ 42 U.S.C. 1320d–5(a)(1)(A). Where the violation was due to reasonable cause, and not willful neglect, the Secretary shall impose ‘‘a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(B) but not to exceed the amount described in paragraph (3)(D)[.]’’ Id. at section 1320d–5(a)(1)(B). If the violation were due to willful neglect, but was corrected in a timely manner, the Secretary shall impose ‘‘a penalty in an amount that is at least the amount described in paragraph (3)(C) but not to exceed the amount described in paragraph (3)(D)[.]’’ Id. at section 1320d–5(a)(1)(C)(i). And, finally, if the violation were due to willful neglect, but was not timely corrected, the Secretary shall impose ‘‘a penalty in an amount that is at least the amount described in paragraph (3)(D).’’ Id. at section 1320d–5(a)(1)(C)(ii). The penalty amounts corresponding to each culpability level or violation type were set forth by the HITECH Act as follows: Tiers of penalties described. • The amount described in this subparagraph is $100 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $25,000 (42 U.S.C. 1320d–5(a)(3)(A)); • the amount described in this subparagraph is $1,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $100,000 (42 U.S.C. 1320d–5(a)(3)(B)); • the amount described in this subparagraph is $10,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $250,000 (42 U.S.C. 1320d–5(a)(3)(C)); • the amount described in this subparagraph is $50,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000 (42 U.S.C. 1320d–5(a)(3)(D)). On October 30, 2009, HHS issued an IFR to implement the enhanced penalty provisions of the HITECH Act. The Department’s view at the time was that the HITECH Act’s penalty provisions were ‘‘conflicting’’ because they allegedly referenced two levels of penalties for three of the four violation types. See HIPAA Administrative Simplification: Enforcement, 74 FR 56123, 56127 (Oct. 30, 2009). Although the HITECH Act provided four different annual penalty caps, the IFR concluded that ‘‘the most logical reading’’ of the law was to apply the highest annual cap of $1.5 million to all violation types, and that this was ‘‘consistent with Congress’ intent to strengthen enforcement.’’ Id. On January 25, 2013, HHS adopted the text of the IFR as a final rule (Enforcement Rule) without change to the penalty tiers and annual limits. HHS noted in the preamble that, ‘‘[i]n adopting the HITECH Act’s penalty scheme, the Department recognized that section 13410(d) contained apparently inconsistent language (i.e., its reference to two penalty tiers ‘for each violation,’ each of which provided a penalty amount ‘for all such violations’ of an identical requirement or prohibition in a calendar year). To resolve this inconsistency, with the exception of violations due to willful neglect that are not timely corrected, the IFR adopted a range of penalty amounts between the minimum given in one tier and the maximum given in the second tier for each violation and adopted the amount of $1.5 million as the limit for all violations of an identical provision of the HIPAA rules in a calendar year.’’ See Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule, 78 FR 5566, 5582 (Jan. 25, 2013). The 2013 Enforcement Rule identified that some commenters expressed concern about the rule imposing a $1.5 million cap for every penalty tier. Such commenters argued that ‘‘the IFR’s penalty scheme is inconsistent with the HITECH Act’s establishment of different tiers based on culpability because the outside limits were the same for all culpability categories and this ignored the outside limits set forth by the HITECH Act within the lower penalty tiers, rendering those limits meaningless.’’ 78 FR at 5583. In response, HHS stated that it continued to believe ‘‘that the penalty amounts are appropriate and reflect the most logical reading of the HITECH Act, which provides the Secretary with discretion to impose penalties for each category of culpability up to the maximum amount described in the highest penalty tier.’’ Id. As a result, the Enforcement Rule applies an annual upper limit of $1.5 million for each of the four culpability tiers, as shown below in Table 1. TABLE 1—PENALTY TIERS UNDER THE ENFORCEMENT RULE amozie on DSK9F9SC42PROD with RULES Culpability Minimum penalty/ violation Maximum penalty/ violation $100 1,000 10,000 50,000 $50,000 50,000 50,000 50,000 No Knowledge ........................................................................................................... Reasonable Cause .................................................................................................... Willful Neglect—Corrected ......................................................................................... Willful Neglect—Not Corrected .................................................................................. 1 42 U.S.C. 1320d–5(a)(1) provides that ‘‘[e]xcept as provided in subsection (b) of this section, the VerDate Sep<11>2014 17:09 Apr 29, 2019 Jkt 247001 Secretary shall impose on any person who violates a provision of this part. . . .’’ PO 00000 Frm 00020 Fmt 4700 Sfmt 4700 E:\FR\FM\30APR1.SGM 30APR1 Annual limit $1,500,000 1,500,000 1,500,000 1,500,000 Federal Register / Vol. 84, No. 83 / Tuesday, April 30, 2019 / Rules and Regulations Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits as represented in Table 2 below: $25,000 for no knowledge, $100,000 for reasonable cause, $250,000 for corrected willful neglect, and $1,500,000 for uncorrected willful neglect. In light of this determination, 18153 and as a matter of enforcement discretion, HHS is notifying the public that all HIPAA enforcement actions will be governed by the following interim penalty tiers: TABLE 2—PENALTY TIERS UNDER NOTIFICATION OF ENFORCEMENT DISCRETION Culpability Minimum penalty/ violation Maximum penalty/ violation $100 1,000 10,000 50,000 $50,000 50,000 50,000 50,000 No Knowledge ........................................................................................................... Reasonable Cause .................................................................................................... Willful Neglect—Corrected ......................................................................................... Willful Neglect—Not Corrected .................................................................................. HHS will use this penalty tier structure, as adjusted for inflation,2 until further notice. See, e.g., Heckler v. Chaney, 470 U.S. 821, 831 (1985) (‘‘This Court has recognized on several occasions over many years that an agency’s decision not to prosecute or enforce, whether through civil or criminal process, is a decision generally committed to an agency’s absolute discretion.’’). HHS expects to engage in future rulemaking to revise the penalty tiers in the current regulation to better reflect the text of the HITECH Act. III. Collection of Information Requirements This notification of enforcement discretion creates no legal obligations and no legal rights. Because this notification imposes no information collection requirements, it need not be reviewed by the Office of Management and Budget under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). Dated: April 23, 2019. Roger T. Severino, Director, Office for Civil Rights, Department of Health and Human Services. [FR Doc. 2019–08530 Filed 4–26–19; 4:15 pm] DEPARTMENT OF DEFENSE Defense Acquisition Regulations System 48 CFR Part 204 [Docket DARS–2018–0029] RIN 0750–AJ76 Defense Federal Acquisition Regulation Supplement: Contract Closeout Authority (DFARS Case 2018–D012) Defense Acquisition Regulations System, Department of Defense (DoD). ACTION: Final rule. AGENCY: DoD is issuing a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement sections of the National Defense Authorization Act for Fiscal Year 2017 and 2018 to permit expedited closeout of certain contracts entered into on a date that is at least 17 fiscal years before the current fiscal year. SUMMARY: DATES: Effective April 30, 2019. FOR FURTHER INFORMATION CONTACT: Ms. Kimberly Bass, telephone 571–372– 6174. SUPPLEMENTARY INFORMATION: BILLING CODE 4153–01–P amozie on DSK9F9SC42PROD with RULES I. Background 2 HHS is required to annually adjust its CMPs for inflation pursuant to the cost-of-living formula set forth in the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, enacted as part of the Bipartisan Budget Act of 2015, Public Law 114–74, section 701, 129 Stat. 599 (Nov. 2, 2015). VerDate Sep<11>2014 17:09 Apr 29, 2019 Jkt 247001 DoD published a proposed rule in the Federal Register at 83 FR 24897 on May 30, 2018, to implement section 836 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2017 (Pub. L. 114–328), as modified by section 824 of the NDAA for FY 2018 (Pub. L. 115– 91), which authorizes the Secretary of Defense to close out certain contracts or groups of contracts through modification of such contracts without completing a reconciliation audit or other corrective action. The authority provided by sections 824 and 836 applies to contracts entered into on a PO 00000 Frm 00021 Fmt 4700 Sfmt 4700 Annual limit $25,000 100,000 250,000 1,500,000 date that is at least 17 fiscal years before the current fiscal year, that have no further supplies or services due, and for which a determination has been made that the contract records are not otherwise reconcilable, because— • The contract or related payment records have been destroyed or lost; or • Although contracts records are available, the time or effort required to establish the exact amount owed to the U.S. Government or amount owed to the contractor is disproportionate to the amount at issue. To accomplish closeout of such contracts, sections 824 and 836 further authorize— • A contract or groups of contracts covered by these sections to be closed out through a negotiated settlement with the contractor; and • The remaining contract balances to be offset with balances within the contract or on other contracts regardless of the year or type of appropriation obligated to fund each contract or contract line item, and regardless of whether the appropriation has closed. When using this authority, the closeout procedures require the contracting officer to issue a modification of the affected contract, which must be signed by both the contractor and the Government. When closing out a group of contracts, the contracting officer must issue a modification of at least one of the affected contracts that reflects the negotiated settlement for the group of contracts and this modification must be signed by both the contractor and the Government. The remaining contracts in the group may be modified without obtaining the contractor’s signature. In accordance with section 836(d)(1) of the NDAA for FY 2017, the Under Secretary of Defense (Acquisition and Sustainment) (USD(A&S)) is authorized to waive any additional provision of law or regulation in order to carry out the closeout procedures as authorized in section 836(a)–(c). E:\FR\FM\30APR1.SGM 30APR1

Agencies

DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Federal Register Volume 84, Number 83 (Tuesday, April 30, 2019)]
[Rules and Regulations]
[Pages 18151-18153]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-08530]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

45 CFR Part 160


Notification of Enforcement Discretion Regarding HIPAA Civil 
Money Penalties

AGENCY: Office of the Secretary, HHS.

ACTION: Enforcement Discretion.

-----------------------------------------------------------------------

SUMMARY: This notification is to inform the public that the Department 
of Health and Human Services (HHS) is exercising its discretion in how 
it applies HHS regulations concerning the assessment of Civil Money 
Penalties (CMPs) under the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA), as such provision was amended by 
the Health Information Technology for Economic and Clinical Health 
(HITECH) Act. Current HHS regulations apply the same cumulative annual 
CMP limit across four categories of violations based on the level of 
culpability. As a matter of enforcement discretion, and pending further 
rulemaking, HHS will apply a different cumulative annual CMP limit for 
each of the four penalties tiers in the HITECH Act.

DATES: This exercise of enforcement discretion is effective 
indefinitely.

FOR FURTHER INFORMATION CONTACT: Rachel Seeger at (202) 619-0403 or 
(800) 537-7697 (TDD).

SUPPLEMENTARY INFORMATION:

I. Background

    When enacting the HIPAA administrative simplification provisions, 
Congress authorized HHS to impose a maximum CMP of $100 for each 
violation, subject to a calendar year cap of $25,000 for all violations 
of an identical requirement or prohibition. Public Law 104-191, section 
262(a), 110 Stat. 1936, 2028 (Aug. 21, 1996) (adding Social Security 
Act section 1176(a)(1), 42 U.S.C. 1320d-5(a)(1)).
    HHS issued an interim final rule (IFR) on April 17, 2003, setting 
forth the procedural requirements that the Department would follow in 
enforcing HIPAA and its regulations, including procedures for providing 
notice, managing hearings, and issuing administrative subpoenas. HHS 
issued a proposed rule on the substantive enforcement provisions on 
April 18, 2005. HIPAA Administrative Simplification: Enforcement; 
Proposed Rule, 70 FR 20224 (April 18, 2005). HHS issued a HIPAA 
enforcement final rule on February 16, 2006, which, among other things, 
incorporated penalties consistent with the $100 per violation cap and 
$25,000 annual cap in HIPAA. HIPAA Administrative Simplification:

[[Page 18152]]

Enforcement; Final Rule, 71 FR 8390 (Feb. 16, 2006).
    In February 2009, Congress enacted the HITECH Act (as part of the 
American Recovery and Reinvestment Act of 2009) that, among other 
things, strengthened HIPAA enforcement by increasing minimum and 
maximum potential CMPs for HIPAA violations. Public Law 111-5, section 
13410, 123 Stat. 115, 271 (Feb. 17, 2009) (amending Social Security Act 
section 1176(a)(1), 42 U.S.C. 1320d-5(a)(1)). Section 13410(d) of the 
HITECH Act established four categories for HIPAA violations, with 
increasing penalty tiers based on the level of culpability associated 
with the violation: (1) The person did not know (and, by exercising 
reasonable diligence, would not have known) that the person violated 
the provision; (2) the violation was due to reasonable cause, and not 
willful neglect; (3) the violation was due to willful neglect that is 
timely corrected; and (4) the violation was due to willful neglect that 
is not timely corrected. Thus, if a covered entity did not know that it 
violated HIPAA, and, through due care, would not have known, the 
Secretary shall \1\ impose ``a penalty for each such violation of an 
amount that is at least the amount described in paragraph (3)(A) but 
not to exceed the amount described in paragraph (3)(D)[.]'' 42 U.S.C. 
1320d-5(a)(1)(A). Where the violation was due to reasonable cause, and 
not willful neglect, the Secretary shall impose ``a penalty for each 
such violation of an amount that is at least the amount described in 
paragraph (3)(B) but not to exceed the amount described in paragraph 
(3)(D)[.]'' Id. at section 1320d-5(a)(1)(B). If the violation were due 
to willful neglect, but was corrected in a timely manner, the Secretary 
shall impose ``a penalty in an amount that is at least the amount 
described in paragraph (3)(C) but not to exceed the amount described in 
paragraph (3)(D)[.]'' Id. at section 1320d-5(a)(1)(C)(i). And, finally, 
if the violation were due to willful neglect, but was not timely 
corrected, the Secretary shall impose ``a penalty in an amount that is 
at least the amount described in paragraph (3)(D).'' Id. at section 
1320d-5(a)(1)(C)(ii).
---------------------------------------------------------------------------

    \1\ 42 U.S.C. 1320d-5(a)(1) provides that ``[e]xcept as provided 
in subsection (b) of this section, the Secretary shall impose on any 
person who violates a provision of this part. . . .''
---------------------------------------------------------------------------

    The penalty amounts corresponding to each culpability level or 
violation type were set forth by the HITECH Act as follows:

    Tiers of penalties described.
     The amount described in this subparagraph is $100 for 
each such violation, except that the total amount imposed on the 
person for all such violations of an identical requirement or 
prohibition during a calendar year may not exceed $25,000 (42 U.S.C. 
1320d-5(a)(3)(A));
     the amount described in this subparagraph is $1,000 for 
each such violation, except that the total amount imposed on the 
person for all such violations of an identical requirement or 
prohibition during a calendar year may not exceed $100,000 (42 
U.S.C. 1320d-5(a)(3)(B));
     the amount described in this subparagraph is $10,000 
for each such violation, except that the total amount imposed on the 
person for all such violations of an identical requirement or 
prohibition during a calendar year may not exceed $250,000 (42 
U.S.C. 1320d-5(a)(3)(C));
     the amount described in this subparagraph is $50,000 
for each such violation, except that the total amount imposed on the 
person for all such violations of an identical requirement or 
prohibition during a calendar year may not exceed $1,500,000 (42 
U.S.C. 1320d-5(a)(3)(D)).

    On October 30, 2009, HHS issued an IFR to implement the enhanced 
penalty provisions of the HITECH Act. The Department's view at the time 
was that the HITECH Act's penalty provisions were ``conflicting'' 
because they allegedly referenced two levels of penalties for three of 
the four violation types. See HIPAA Administrative Simplification: 
Enforcement, 74 FR 56123, 56127 (Oct. 30, 2009). Although the HITECH 
Act provided four different annual penalty caps, the IFR concluded that 
``the most logical reading'' of the law was to apply the highest annual 
cap of $1.5 million to all violation types, and that this was 
``consistent with Congress' intent to strengthen enforcement.'' Id.
    On January 25, 2013, HHS adopted the text of the IFR as a final 
rule (Enforcement Rule) without change to the penalty tiers and annual 
limits. HHS noted in the preamble that, ``[i]n adopting the HITECH 
Act's penalty scheme, the Department recognized that section 13410(d) 
contained apparently inconsistent language (i.e., its reference to two 
penalty tiers `for each violation,' each of which provided a penalty 
amount `for all such violations' of an identical requirement or 
prohibition in a calendar year). To resolve this inconsistency, with 
the exception of violations due to willful neglect that are not timely 
corrected, the IFR adopted a range of penalty amounts between the 
minimum given in one tier and the maximum given in the second tier for 
each violation and adopted the amount of $1.5 million as the limit for 
all violations of an identical provision of the HIPAA rules in a 
calendar year.'' See Modifications to the HIPAA Privacy, Security, 
Enforcement, and Breach Notification Rules Under the HITECH Act and the 
Genetic Information Nondiscrimination Act; Other Modifications to the 
HIPAA Rules; Final Rule, 78 FR 5566, 5582 (Jan. 25, 2013). The 2013 
Enforcement Rule identified that some commenters expressed concern 
about the rule imposing a $1.5 million cap for every penalty tier. Such 
commenters argued that ``the IFR's penalty scheme is inconsistent with 
the HITECH Act's establishment of different tiers based on culpability 
because the outside limits were the same for all culpability categories 
and this ignored the outside limits set forth by the HITECH Act within 
the lower penalty tiers, rendering those limits meaningless.'' 78 FR at 
5583. In response, HHS stated that it continued to believe ``that the 
penalty amounts are appropriate and reflect the most logical reading of 
the HITECH Act, which provides the Secretary with discretion to impose 
penalties for each category of culpability up to the maximum amount 
described in the highest penalty tier.'' Id.
    As a result, the Enforcement Rule applies an annual upper limit of 
$1.5 million for each of the four culpability tiers, as shown below in 
Table 1.

                                Table 1--Penalty Tiers Under the Enforcement Rule
----------------------------------------------------------------------------------------------------------------
                                                          Minimum penalty/   Maximum penalty/
                      Culpability                            violation          violation         Annual limit
----------------------------------------------------------------------------------------------------------------
No Knowledge...........................................               $100            $50,000         $1,500,000
Reasonable Cause.......................................              1,000             50,000          1,500,000
Willful Neglect--Corrected.............................             10,000             50,000          1,500,000
Willful Neglect--Not Corrected.........................             50,000             50,000          1,500,000
----------------------------------------------------------------------------------------------------------------


[[Page 18153]]

    Upon further review of the statute by the HHS Office of the General 
Counsel, HHS has determined that the better reading of the HITECH Act 
is to apply annual limits as represented in Table 2 below: $25,000 for 
no knowledge, $100,000 for reasonable cause, $250,000 for corrected 
willful neglect, and $1,500,000 for uncorrected willful neglect. In 
light of this determination, and as a matter of enforcement discretion, 
HHS is notifying the public that all HIPAA enforcement actions will be 
governed by the following interim penalty tiers:

                       Table 2--Penalty Tiers Under Notification of Enforcement Discretion
----------------------------------------------------------------------------------------------------------------
                                                          Minimum penalty/   Maximum penalty/
                      Culpability                            violation          violation         Annual limit
----------------------------------------------------------------------------------------------------------------
No Knowledge...........................................               $100            $50,000            $25,000
Reasonable Cause.......................................              1,000             50,000            100,000
Willful Neglect--Corrected.............................             10,000             50,000            250,000
Willful Neglect--Not Corrected.........................             50,000             50,000          1,500,000
----------------------------------------------------------------------------------------------------------------

    HHS will use this penalty tier structure, as adjusted for 
inflation,\2\ until further notice. See, e.g., Heckler v. Chaney, 470 
U.S. 821, 831 (1985) (``This Court has recognized on several occasions 
over many years that an agency's decision not to prosecute or enforce, 
whether through civil or criminal process, is a decision generally 
committed to an agency's absolute discretion.'').
---------------------------------------------------------------------------

    \2\ HHS is required to annually adjust its CMPs for inflation 
pursuant to the cost-of-living formula set forth in the Federal 
Civil Penalties Inflation Adjustment Act Improvements Act of 2015, 
enacted as part of the Bipartisan Budget Act of 2015, Public Law 
114-74, section 701, 129 Stat. 599 (Nov. 2, 2015).
---------------------------------------------------------------------------

    HHS expects to engage in future rulemaking to revise the penalty 
tiers in the current regulation to better reflect the text of the 
HITECH Act.

III. Collection of Information Requirements

    This notification of enforcement discretion creates no legal 
obligations and no legal rights. Because this notification imposes no 
information collection requirements, it need not be reviewed by the 
Office of Management and Budget under the Paperwork Reduction Act of 
1995 (44 U.S.C. 3501 et seq.).

    Dated: April 23, 2019.
Roger T. Severino,
Director, Office for Civil Rights, Department of Health and Human 
Services.
[FR Doc. 2019-08530 Filed 4-26-19; 4:15 pm]
 BILLING CODE 4153-01-P

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.