HHS Updates Civil Monetary Penalty Amounts for HIPAA Violations

Posted By Steve Alder on Aug 8, 2024

The Department of Health and Human Services (HHS) has applied the annual inflation update to its civil monetary penalty (CMP) amounts, per the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.

In December each year, the Office of Management and Budget (OMB) sets the annual inflation multiplier for all government agencies, which is calculated from the Consumer Price Index for all Urban Consumers (CPI-U) for October 2023. OMB requires the adjustment to be applied to each HHS agency’s CMPs by January 15^th of each year. The HHS is usually one of the last government departments to apply the updates to its CMP amounts, with the update often applied several months after the January deadline. The HHS has missed the OMB deadline every year since 2017, although was only a few days late in 2020. Last year the update was not applied until October 6, 2024.

On August 8, 2024, the HHS published confirmation in the Federal Register that the inflation multiplier has been applied, which will see CMP amounts increased by the OMB’s multiplier of 1.03241 across all HHS agencies.

2024 HHS Office for Civil Rights Penalties for HIPAA Violations

The HHS’ Office for Civil Rights (OCR) will use the new CMP amounts for HIPAA violations that are assessed on or after August 8, 2024, if the violation occurred on or after November 2, 2015, as detailed in the table below.

Penalties for pre-February 18, 2009, violations of the HIPAA administrative simplification provisions will be applied at a rate of $193 per violation with a calendar year cap of $48,586 for violations of an identical provision.

OCR’s Notice of Enforcement Discretion Still in Effect

While the above figures have been published in the Federal Register and are the official penalty amounts that are applied for HIPAA violations, OCR issued a notice of enforcement discretion in 2019 following a review of the language of the HITECH Act of 2009.

The HITECH Act called for penalties for HIPAA violations to be increased, and at the time, the HHS’s interpretation of HITECH was that the calendar year caps should be the same for each of the penalty tiers – $1,500,000 (annually adjusted).

OCR reinterpreted those requirements and changed the calendar year penalty caps in three of the four penalty tiers (Tiers 1-3). These penalty amounts have yet to be published in the Federal Register and are not legally binding, but the Notice of Enforcement Discretion is still in effect and will remain in effect indefinitely.

One anomaly that results from changing the annual penalty cap in the Tier 1 category is the annual cap is lower than the maximum penalty for a HIPAA violation, therefore, the maximum penalty per violation must be that of the annual penalty cap.

2024 HHS Office for Civil Rights Penalty Amounts Per OCR Enforcement Discretion

The penalty amounts in the table below have been calculated by The HIPAA Journal by applying OBM’s annual multiplier each year since OCR’s Notice of Enforcement Discretion in 2019, with the penalties rounded up to the nearest dollar.