HHS Reduces Maximum Penalty Amounts for Certain HIPAA Violations

The Department of Health and Human Services (“HHS”) has lowered the maximum civil monetary penalty amounts for most violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules.

Background. In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (“HITECH”) Act that, among other things, enhanced HIPAA enforcement by increasing the minimum and maximum penalties for HIPAA violations. Regulations implementing HITECH established four tiers of penalties, which take into account whether the organization in question was aware of the violation and had previously taken steps to abide by HIPAA’s rules. The tiers escalate in severity and are as follows:

• Tier 1 – No knowledge. The person did not know that the person violated the provision;
• Tier 2 – Reasonable Cause. The violation was due to reasonable cause, and not willful neglect;
• Tier 3 – Willful Neglect – Corrected. The violation was due to willful neglect and timely corrected (i.e., within 30 days); and
• Tier 4 – Willful Neglect – Not Corrected. The violation was due to willful neglect and not timely corrected.

In 2013, HHS established a rule that applied the same $1.5 million maximum cumulative annual limit across all four tiers of penalties:

Revised Maximum Penalty Amounts. Under HHS’s new penalty system, the annual maximum civil penalty amounts for the first three tiers will be significantly lower. Specifically, HHS will apply the following limits for the four tiers of penalties.

While HHS will issue new regulations to incorporate the lower penalty amounts, it will immediately begin to apply the new maximum penalty amounts as a matter of its enforcement discretion. The penalties for other HIPAA violations remain unchanged.

The HHS notice announcing its decision to lower the maximum annual penalties for HIPAA violations can be found by clicking here.