Good News for Covered Entities and Business Associates: Recent HHS HIPAA Pronouncements Acknowledge Realities and Soften Impact

In two recent pronouncements, the United States Department of Health and Human Services (HHS) has taken a balanced approach to interpreting the Health Insurance Portability and Accountability Act (HIPAA) regulations that gives a nod to the realities of HIPAA compliance and the sharing of PHI.

Exercise of Enforcement Discretion Regarding HIPAA Civil Money Penalties

On April 30, 2019, HHS published a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties which more closely ties the annual cap for penalties to culpability. The current HIPAA regulations apply the same annual cap to each of the four penalty tiers. With its notification of enforcement discretion, HHS modified this approach and will now apply a different annual cap to each tier, thus making the tiers more meaningful and softening the financial impact of HIPAA violations that fall into the lower tiers. The table below outlines the changes to the annual penalty caps:

HHS stated that it “will use this penalty tier structure, as adjusted for inflation, until further notice,” and that it “expects to engage in future rulemaking to revise the penalty tiers in the current regulation to better reflect the text of the HITECH Act.”

Covered entities and business associates should keep in mind that the annual caps apply separately to each distinct violation—i.e., violations of two or more requirements or prohibitions are each subject to the annual cap. Nonetheless, the reduction in the annual cap lowers the overall potential liability for violations that fall in the lower-culpability tiers and better ties the potential penalties to culpability. From a practical perspective, covered entities and business associates that make good-faith efforts at compliance—e.g., conduct compliant security risk analyses, maintain current policies and procedures, have compliant business associate agreements, conduct annual training, etc.—should now expect that HHS will more equitably limit the penalties it imposes, a recognition of good-faith compliance efforts.

Business Associate Liability for Patient-Directed Disclosure to Designated App

On April 18, 2019, HHS issued a new FAQ that addresses HIPAA liability related to transmission of PHI between covered entities, their electronic health record (EHR) system developers, and patient-designated apps. Specifically, HHS clarifies that when an individual directs a covered entity to send ePHI to a designated app, the covered entity’s EHR system developer bears HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity only where a business associate relationship exists with respect to the app. For example, “if the EHR system developer does not own the app . . . the EHR system developer would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.” In contrast, if part of the EHR system developer’s business associate services include providing the app “to, through, or on behalf of, the covered entity (directly or through another business associate), then the EHR system developer could potentially face HIPAA liability (as a business associate . . . ) for any impermissible uses and disclosures of the health information received by the app.”

This FAQ acknowledges the reality of the proliferation of apps that patients may choose to receive and use their PHI, as well as the limited control covered entities and their EHR system developer business associates have following the patient-directed disclosure.

For more information, please contact Madison M. Pool.