The HHS Office for Civil Rights (“OCR”) issued a notice in the Federal Register regarding its Enforcement Discretion (84 Fed. Reg. 18151) on April 30, 2019.

HHS announced that HHS will now apply a different cumulative annual Civil Money Penalties (CMPs) limit for each of the four categories of HIPAA violations based on the level of culpability. As indicated in the table below, currently, and pursuant to its administrative rulemaking after passage of the HITECH Act, HHS applies the same cumulative annual CMP limit of $1.5 million1.

It is important that OCR indicated in this year’s budget request that it needed fewer appropriated funds for the HIPAA enforcement program, given its enforcement recoveries. So, she notes, if OCR were to collect fewer of those recoveries in the future as a result of this exercise of Enforcement Discretion, that may affect its ability to enforce HIPAA, including with regard to enforcement priorities, such as individuals’ access to their own information, and it may affect individuals who would otherwise recover part of such settlements or fines as provided by the HITECH Act. On the other hand, if the amounts for each violation are less, it is conceivable that OCR will simply include more potential violations for enforcement in any particular settlement or CMP case.HHS expects to promulgate a new rule to revise the current penalty tiers; however, this effort is not currently included on the Secretary’s rulemaking calendar and, given the Trump administration’s effort to limit sub-regulatory guidance in favor of reducing burdens through rulemaking, it is not only surprising that this guidance was issued instead of a rulemaking, it is also not clear when such a rulemaking effort will take place.