150.319—Determining the amount of the penalty—mitigating circumstances.
For every violation subject to a civil money penalty, if there are substantial or several mitigating circumstances, the aggregate amount of the penalty is set at an amount sufficiently below the maximum permitted by § 150.315 to reflect that fact. As guidelines for taking into account the factors listed in § 150.317, CMS considers the following:
(a) Record of prior compliance.
It should be considered a mitigating circumstance if the responsible entity has done any of the following:
(1)
Before receipt of the notice issued under § 150.307, implemented and followed a compliance plan as described in § 150.311(f).
(b) Gravity of the violation(s).
It should be considered a mitigating circumstance if the responsible entity has done any of the following:
(1)
Made adjustments to its business practices to come into compliance with HIPAA requirements so that the following occur:
(i)
All employers, employees, individuals and non-Federal governmental entities are identified that are or were issued any policy, certificate of insurance or plan document, or any form used in connection therewith that failed to comply.
(ii)
All employers, employees, individuals, and non-Federal governmental plans are identified that were denied coverage or were denied a right provided under HIPAA requirements.
(iii)
Each employer, employee, individual, or non-Federal governmental plan adversely affected by the violation has been, for example, offered coverage or provided a certificate of creditable coverage in a manner that complies with HIPAA requirements that were violated so that, to the extent practicable, that employer, employee, individual, or non-Federal governmental entity is in the same position that he, she, or it would have been in had the violation not occurred.
(2)
Discovered areas of noncompliance without notice from CMS and voluntarily reported that noncompliance, provided that the responsible entity submits the following:
(i)
Documentation verifying that the rights and protections of all individuals adversely affected by the noncompliance have been restored; and
(4)
Demonstrated that the financial and other impacts on affected individuals is negligible or nonexistent.
(5)
Demonstrated that the noncompliance is correctable and that a high percentage of the violations were corrected.