Share this article on:
The U.S Department of Health and Human Services has increased the civil monetary penalties for HIPAA violations in accordance with the Inflation Adjustment Act.
The final rule took effect on Tuesday November 5, 2019. This rule increases the civil monetary penalties for HIPAA violations that occurred on or after February 18, 2009. Under the new penalty structure, the increases from 2018 to 2019 are detailed in the table below:
|Penalty Tier||Level of Culpability||Minimum Penalty per Violation
(2018 » 2019)
|Maximum Penalty per Violation
(2018 » 2019)
|New Maximum Annual Penalty
(2018 » 2019)*
|1||No Knowledge||$114.29 » $117||$57,051 » $58,490||$1,711,533 » $1,754,698|
|2||Reasonable Cause||$1,141 » $1,170||$57,051 » $58,490||$1,711,533 » $1,754,698|
|3||Willful Neglect – Corrective Action Taken||$11,410 » $11,698||$57,051 » $58,490||$1,711,533 » $1,754,698|
|4||Willful Neglect – No Corrective Action Taken||$57,051 » $58,490||$1,711,533 » $1,754,698||$1,711,533 » $1,754,698|
Penalties for HIPAA violations that occurred prior to February 18, 2009 have increased to $159 per violation, with an annual cap of $39,936 per violation category.
Earlier this year, the HHS’ Office for Civil Rights announced that it had reduced the penalties for HIPAA violations in certain tiers after a review of the wording of the HITECH Act. The maximum penalty for a HIPAA violation in the highest tier remained at $1.711 million, per violation category per year. Prior to the review, the maximum HIPAA violation penalty was $1.711 million in all four penalty tiers.
*The notice of enforcement discretion, announced on April 30, 2019, capped the maximum annual penalties at $10,000 (Tier 1), $100,000 (Tier 2), $250,000 (Tier 3), and $1,711,533 (Tier 4). The notice of enforcement discretion stated that the reviewed penalty tiers would also be adjusted in line with inflation. The multiplier used by OCR to calculate the cost-of-living increases was based on the Consumer Price Index for all Urban Consumers (CPI–U) for October 2019, which was 1.02522. That would make the new maximum penalties under the notice of enforcement discretion $25,630.5 (Tier 1), $102,522 (Tier 2), $256,305 (Tier 3), and $1,754,698 (Tier 4).
While OCR’s notice of enforcement discretion states that OCR will be adopting the new, revised penalties, this has yet to be made official and is pending further rulemaking. The notification of enforcement discretion creates no legal obligations and no legal rights, so OCR could therefore legally use the above maximum penalty amount of $1,754,698 per violation category, per year across all penalty tiers.
Full details of the new penalty structures have been published in the Federal Register for all agencies, including the FDA, ACF, HRSA, AHRQ, OIG, CMS, and OCR and can be viewed here (PDF).