HHS Increases HIPAA Penalties for 2021 per the Inflation Adjustment Act

Under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015*, the Office of the Assistant Secretary for Financial Resources of the Department of Health and Human Services (HHS) has issued a final rule that implements adjustments to the maximum civil monetary penalties for HIPAA violations for 2021.

According to the Department of Health and Human Services, the 2021 annual inflation adjustment “is determined using the percent increase in the Consumer Price Index for all Urban Consumers (CPI–U) for the month of October of the year in which the amount of each CMP was most recently established or modified.” The cost-of-living adjustment multiplier for 2021 is 1.01182.

Previous cost-of-living multipliers are indicated below:

  • 2017 – 1.01636
  • 2018 – 1.02041
  • 2019 – 1.02522
  • 2020 – 1.01764

The final rule took effect on Monday, November 15, 2021, and applies to penalties assessed on or after November 15, 2021, if the violation occurred on or after November 2, 2015. These penalties will apply until the next inflation increase is applied. The annual increases are due to be applied once a year no later than January 15; however, they have not been applied at regular intervals in previous years and the deadline has often been missed. The updates that should have been made by January 2021 have only just been published in the Federal Register, so the next update is due by January 15, 2022.

The purpose of these regular inflationary adjustments is to ensure that the deterrent effect of these federal civil monetary penalties is maintained over time.

HIPAA Violation Penalty Amounts from November 15, 2021

Penalty Tier Culpability Minimum Penalty per Violation Max Penalty per Violation Maximum Penalty Per Year (Capped)
Tier 1 Lack of Knowledge $119 » $120 $59,522 » $60,226 $1,785,651 » $1,806,757
Tier 2 Reasonable Cause $1,191 » $1,205 $59,522 » $60,226 $1,785,651 » $1,806,757
Tier 3 Willful Neglect $11,904 » $12,045 $59,522 » $60,226 $1,785,651 » $1,806,757
Tier 4 Willful Neglect (not corrected within 30 days) $59,522 » $60,226 $1,785,651 » $1,806,757 $1,785,651 » $1,806,757

The civil monetary penalty for each pre-February 18, 2009 violation of the HIPAA administrative simplification provisions has decreased from $162 per violation to $64, and the calendar year cap has increased from $40,640 to $41,120.

The above table reflects the penalties for HIPAA violations as mandated by the HITECH Act of 2009; however, in April of 2019, The HHS’ Office for Civil Rights (OCR) completed a review of the language of the HITECH Act and determined that the original interpretation was incorrect. As you can see in the above table, the HHS interpretation called for a cap on the maximum annual penalty ($1.5 million with annual increases for inflation) which was applied at the same level across all penalty tiers.

OCR’s 2019 Notice of Enforcement Discretion for HIPAA Violations

OCR determined that interpretation to be incorrect and issued a Notice of Enforcement Discretion which was published in the federal register on April 30, 2019. The new interpretation saw the maximum annual penalty set at a different level for each penalty tier to reflect the severity of the violation.

It should be noted that while the Notice of Enforcement Discretion remains in effect, the HHS continues to use the maximum penalties based on the original interpretation of the HITECH Act in its annual inflation adjustments, and will continue to do so until further rulemaking finalizes the new penalty structure.

The Notice of Enforcement Discretion is effectively indefinitely, although a further Notice of Enforcement Discretion could be issued at any point to change the penalties back to the original structure until further rulemaking is forthcoming. Based on the current Notice of Enforcement Discretion, the minimum and maximum penalties for HIPAA violations in 2021 are detailed in the table below.

HIPAA Violation Penalty Amounts Under OCR’s 2019 Notice of Enforcement Discretion

 

Penalty Tier

Culpability Minimum Penalty per Violation – Inflation

Adjusted

Max Penalty per Violation – Inflation Adjusted Maximum Penalty Per Year (cap) – Inflation Adjusted
Tier 1 Lack of Knowledge $120 $30,113 $30,113
Tier 2 Reasonable Cause $1,205 $60,226 $120,452
Tier 3 Willful Neglect $12,045 $60,226 $301,130
Tier 4 Willful Neglect (not corrected within 30 days) $60,226 $1,806,757 $1,806,757

 *The Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 amended the Federal Civil Penalties Inflation Adjustment Act of 1990, with the interim final rule published in the Federal Register on September 6, 2016, and were published on February 3, 2017 (82 FR 9175), October 11, 2018 (83 FR 51369), November 5, 2019 (84 FR 59549), January 17, 2020 (85 FR 2869), and November 15, 2021 (86 FR 62928).

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.