It is rare to see “penalties decreased”, but here we have it and it is not a typo. Late last month, the Department of Health and Human Services (HHS) released a notice applying a tiered annual limit to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) civil penalties. The below is a summary of the new maximum penalties that all HHS HIPAA enforcement actions will use until further notice:
| Culpability | Minimum Penalty Per Violation | Maximum Penalty Per Violation | Annual Limit |
|---|---|---|---|
| No Knowledge | $100 | $50,000 | $25,000* |
| Reasonable Cause | $1,000 | $50,000 | $100,000 |
| Willful Neglect - Corrected | $10,000 | $50,000 | $250,000 |
| Willful Neglect - Not Corrected | $50,000 | $50,000 | $1,500,000 |
While this is welcomed news, the penalties are still significant and can add up quickly. The annual limit applies to each identical violation; however, a breach can include multiple violations. That said, HHS can issue the maximum annual limit penalty for each separate violation.
Even though penalties have been reduced, there is not a better time to remind employers who sponsor self-funded group health plans of their plan’s responsibilities under HIPAA. In everything else employers must consider when administering their benefit programs, compliance responsibilities are unfortunately easily overlooked. Among other requirements, HIPAA requires self-funded group health plans to:
- Provide Notice of Privacy Practices (notice of availability every three years)
- Adopt HIPAA Privacy and Security Policies and Procedures
- Appoint Privacy and Security Officers
- Conduct a periodic risk assessment
- Train workforce with access to protected health information on privacy and security policies and procedures
- Maintain Business Associate Agreements with vendors with access to protected health information prior to sharing any protected health information
- Adopt Breach Notification Procedures
The only exception to these rules applies to plans that are self-funded and self-administered with fewer than 50 employees eligible to participate. If you do not currently have HIPAA Privacy and Security policies and procedures in place or have not revisited your policies and procedures subsequent to passage of the Health Information Technology for Economic Relief Act in 2013 (strengthening HIPAA’s privacy and security provisions), it is time to revisit implementing and updating current practice. If you sponsor a fully-insured group health plan, don’t worry. Much of the responsibility for HIPAA compliance rests with the insurance carrier when the employer’s access to protected health information is limited to administrative functions like enrollment/disenrollment and bidding coverage.
While the above list is not exhaustive, it highlights important HIPAA considerations for employers sponsoring self-funded group health plans. While HIPAA compliance can seem burdensome, it also provides a framework for best practices. Please contact your HORAN representative with any additional questions.
*This is not a typo. The annual limit is less than the maximum per violation per the HHS Notification.
