The HHS Office of Civil Rights (“OCR”) closed out the month of April with some updates to HIPAA civil monetary penalty (“CMP”) limits and clarifications to OCR’s stance on the Privacy Rule’s application to transfers of electronic protected health information (“ePHI”) to third-party applications and application programming interfaces (“APIs”).

Differential CMP Caps Based on Enforcement Discretion

Under the current HIPAA Enforcement Rule, HHS employs a four-tier level of culpability scale in line with the HITECH Act. These four tiers correspond to appropriate CMPs ranges for violations by covered entities and business associates of the HIPAA Privacy and Security Rules. These penalty tiers are adjusted for inflation pursuant to the cost-of-living formula set forth in the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.

For instance, if a person did not know and, by exercising reasonable diligence, would not have known that the person violated the applicable HIPAA provision, the CMP range the person could be levied was $100-$50,000 for each identical violation, up to a maximum of $1.5 million for all such violations annually (before adjusted for inflation). The $1.5 million annual cap on CMPs for HIPAA violations applied across all four tiers, even though the minimum penalties for each tier increased in amount.

Since HHS began using this four-tier structure, however, there has been debate about whether the HITECH Act mandates different annual CMP caps for each of the tiers. OCR’s April 30, 2019 Federal Register Notice changes HHS’s prior position on this, and now imposes the following annual caps on CMPs for HIPAA violations:.

  • $25,000 (Tier 1 – no knowledge)
  • $100,000 (Tier 2 – reasonable cause)
  • $250,000 (Tier 3 – willful neglect/corrected)
  • $1.5 million (Tier 4 – willful neglect/not corrected).

What is odd is that the maximum penalty for each tier remains at $50,000 as of the date of the Federal Register Notice. This does not appear to make sense given that the annual limit for Tier 1 violations is $25,000. Nevertheless, HHS will follow this structure “until further notice,” which means there still may be some cleaning up to do.

New FAQ Responses to Clarify Patient Access Rights Under HIPAA

On April 18, 2019, OCR published responses to five Frequently Asked Questions (the “FAQs”) regarding the analysis of a patient’s right of access to his or her ePHI through third-party apps and APIs. Covered entities should take these FAQs into account when responding to the proposed rules on information blocking released by the Office of the National Coordinator for Health Information Technology (“ONC”) and the Centers for Medicare & Medicaid Services’ proposed rules on Interoperability and Patient Access, which are now due June 3, 2019. These proposed rules encourage patient access to ePHI via APIs and the FAQs attempt to address some of the questions OCR has received regarding how to balance HIPAA compliance with patient access via new transmission and storage modalities for ePHI.

Overall, the FAQs clarify the scope of covered entities’ responsibility to comply with patients’ requests to direct their ePHI to third parties pursuant to 45 CFR § 164.524 and their liability for any breaches to that ePHI after its transfer. The main points that covered entities should glean from the FAQs are:

  • Covered entities cannot refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives.
  • Covered entities or their business associates (e.g., an EHR system developer) that did not develop or provide a third-party app that “creates receives, maintains, or transmits ePHI on behalf of the covered entity”:
      • are not required to enter into a business associate agreement (“BAA”) with the third-party app or API developer; and
      • are not liable under the HIPAA Rules for a subsequent impermissible disclosure by the third-party app or API.
  • Covered entities would not be responsible for unauthorized access to the individual’s ePHI while in transmission to a third-party app or API, even if it is transferred via an unsecure manner or unsecure channel.

The new FAQs became necessary as patients increasingly sought to have ready access to their ePHI and related data through mobile apps and devices that are distinct from those provided by covered entities. Covered entities, in an abundance of caution, often refused to send ePHI to third-party apps and APIs because they were concerned about being liable to breaches of any ePHI after it was transferred.

With these new FAQs, covered entities and their business associates have more clarity regarding their obligations under the HIPAA Privacy Rules. Moreover, it is arguable that the release of the FAQs provides constructive notice to covered entities, and developers of third-party apps and APIs that engaging in practices that contradict OCR’s responses could constitute information blocking, which we have profiled in numerous previous posts.

Print:
EmailTweetLikeLinkedIn
Photo of Jodi G. Daniel Jodi G. Daniel

Jodi Daniel is a partner in Crowell & Moring’s Washington, D.C. office and a member of the firm’s Health Care Group, where she provides strategic advice to clients navigating the legal and regulatory environments related to technology in the health care sector. Jodi is the former director of the Office of Policy in the Office of the National Coordinator for Health Information Technology (ONC), U.S. Department of Health and Human Services (HHS). She served for a decade as the director at the ONC and 15 years at HHS, where she helped spearhead important changes in health information privacy and health information technology to improve health care for consumers nationwide.

For more than a decade, Jodi has been responsible for thought leadership, policy development, and identifying policy drivers for health IT activities within the federal government, and ultimately established the HHS’ national health IT policy. As former director at the ONC, she addressed privacy and security issues to ensure that there was clear guidance on how the initial Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules applied to health IT. Jodi set the strategic direction and set policy on consumer e-health and health IT safety. She is also credited with establishing the ONC’s regulatory capacity and led the development of all ONC regulations on health IT standards and certification.

As the first senior counsel for health information technology in the Office of the General Counsel (OGC) of HHS, Jodi developed HHS’s foundational legal strategies and coordinated all legal advice regarding health IT for HHS. She founded and chaired the health information technology practice group within OGC and worked closely with the Centers for Medicare and Medicaid Services in the development of the e-prescribing standards regulations and the Stark and anti-kickback rules regarding e-prescribing and electronic health records.

Photo of Stephanie Willis Stephanie Willis

Stephanie Willis is a counsel in Crowell & Moring’s Washington, D.C. office and a member of the firm’s Health Care Group. Stephanie primarily works with health care clients seeking to comply with state and federal health care anti-fraud and abuse laws, privacy and security laws, and licensing laws.

Stephanie’s work incorporates her Master of Public Health degree as well as her past experiences as an associate counsel in the Office of the Inspector General for the Department of Health and Human Services (HHS-OIG) and as an intern at the Massachusetts Division of Insurance, the Health Care Division of the Massachusetts Attorney General’s Office, and the Massachusetts Health Care Connector, which was the first health care exchange in the nation.