HHS Increases HIPAA Penalties for 2020 to Account for Inflation

The Department of Health and Human Services has adopted new minimum and maximum penalties for HIPAA violations for 2020 to account for changes to the cost of living.

The HHS’ Office of the Assistant Secretary for Financial Resources has now implemented a final rule on the new federal civil monetary penalties under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The changes to penalty amounts are intended to maintain the deterrent effect of federal civil monetary penalties.

The adjustments to the penalties are calculated based on the Consumer Price Index for all Urban Consumers (CPI–U) from the previous month, which are applied as a multiplier to the existing minimum and maximum civil monetary penalty amounts. The cost-of-living multiplier for 2020 is 1.01764. Previous cost-of-living multipliers were 1.01636 (2017), 1.02041 (2018), and 1.02522 (2019).

The final rule took effect on Sunday, January 17, 2020, and applies to penalties assessed on or after January 17, 2020, if the violation occurred on or after November 2, 2015. These penalties will apply until the next inflation increase.

HIPAA Violation Penalty Amounts from January 17, 2021

Penalty Tier Culpability Minimum Penalty per Violation

 

Max Penalty per Violation Maximum Penalty Per Year (Capped)
Tier 1 Lack of Knowledge $117 » $119 $58,490 » $59,522 $1,754,698 » $1,785,651
Tier 2 Reasonable Cause $1,170 » $1,191 $58,490 » $59,522 $1,754,698 » $1,785,651
Tier 3 Willful Neglect $11,698 » $11,904 $58,490 » $59,522 $1,754,698 » $1,785,651
Tier 4 Willful Neglect (not corrected within 30 days) $58,490 » $59,522 $1,754,698 » $1,785,651 $1,754,698 » $1,785,651

The civil monetary penalty for each pre-February 18, 2009 violation of the HIPAA administrative simplification provisions has increased from $150 per violation to $162, and the calendar year cap has increased from $39,936 to $40,640.

OCR’s 2019 Notice of Enforcement Discretion for HIPAA Violations

The figures indicated in the table above have been published in the Federal Register, but the HHS’ Office for Civil Rights (OCR) is not currently applying penalties at those levels. The above penalty amounts are based on the original HHS interpretation of the HIPAA violation penalties mandated by the HITECH Act of 2009.

When applying the HITECH Act penalties, the HHS initially interpreted the language of the Act as calling for the maximum penalty for HIPAA violations to be applied at the same level for all penalty tiers, which at the time was $1.5 million per calendar year (subsequently adjusted annually for inflation). In 2019, the HHS reviewed the language of the HITECH Act and reinterpreted the requirements as calling for a different maximum annual penalty for each of the 4 penalty tiers.

On April 30, 2019, OCR published a Notice of Enforcement Discretion in the Federal Register regarding HIPAA civil monetary penalties that set a different penalty cap for each violation tier to reflect the severity of the violation.

The Notice of Enforcement Discretion is effectively indefinitely, although until the HHS makes further rulemaking, the inflation adjustments are applied to the penalty amounts of the original interpretation, with OCR exercising enforcement discretion and applying fines based on the new interpretation of the language of the HITECH Act.

As such, the penalty structure adopted by OCR is detailed in the table below:

2020 HIPAA Violation Penalty Amounts Under OCR’s 2019 Notice of Enforcement Discretion

Per the Notice of Enforcement Discretion, the inflation adjusted penalty amounts are now:

 

Penalty Tier

Culpability Minimum Penalty per Violation – Inflation

Adjusted

Max Penalty per Violation – Inflation Adjusted Annual Limit
Tier 1 Lack of Knowledge $119 $59,522 $29,761
Tier 2 Reasonable Cause $1,191 $59,522 $119,044
Tier 3 Willful Neglect $11,904 $59,522 $297,610
Tier 4 Willful Neglect (not corrected within 30 days) $59,522 $1,785,651 $1,785,651

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.