HIPAA Civil Monetary Penalty Adjustments for 2023
On October 6, 2023, the U.S. Department of Health and Human Services (HHS) published its long-expected annual inflation adjustments in the Federal Register. The inflation adjustments are effective as of October 6, 2023, and will be applied to all penalties assessed by the Office for Civil Rights (OCR) on or after this date, if the HIPAA violations occurred on or after November 2, 2015.
Annual increases in inflation are authorized by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, which amended the Federal Civil Penalties Inflation Adjustment Act of 1990. Each year, civil monetary penalties (CMPs) are increased in line with inflation to ensure they remain an effective deterrent against non-compliance. The Office of Management and Budget (OMB) published a cost-of-living multiplier of 1.07745 for 2023 in December 2022 and required all federal agencies to update their CMPs using the multiplier by January 15, 2023. The HHS is often slow to apply the adjustments. OBM is expected to publish its 2024 multiplier in a little over two months, but no later than January 15, 2024.
The new OCR penalties for HIPAA violations are now as follows:
| Description | 2022 Maximum adjusted penalty | 2023 Maximum adjusted penalty |
| Penalty for each pre-February 18, 2009, violation of the HIPAA administrative simplification provisions. | $174 | $187 |
Penalties for HIPAA Violations on or After February 18, 2009
| Description | 2022 Penalty Amount | 2023 Penalty Amount |
| Minimum HIPAA penalty – Tier 1: No knowledge | $127 | $137 |
| Maximum HIPAA penalty – Tier 1: No knowledge | $63,973 | $68,928 |
| Tier 1: Calendar year penalty cap | $1,919,173 | $2,067,813 |
| Minimum HIPAA penalty – Tier 2: Reasonable cause | $1,280 | $1,379 |
| Maximum HIPAA penalty – Tier 2: Reasonable cause | $63,973 | $68,928 |
| Tier 2: Calendar year penalty cap | $1,919,173 | $2,067,813 |
| Minimum HIPAA penalty – Tier 3: Willful neglect, corrected within 30 days | $12,794 | $13,785 |
| Maximum HIPAA penalty – Tier 3: Willful neglect, corrected within 30 days | $63,973 | $68,928 |
| Tier 3: Calendar year penalty cap | $1,919,173 | $2,067,813 |
| Minimum HIPAA penalty Tier 4: Willful neglect, not corrected within 30 days | $63,973 | $68,928 |
| Maximum HIPAA penalty – Tier 4: Willful neglect, not corrected within 30 days | $1,919,173 | $2,067,813 |
| Tier 4: Calendar year penalty cap | $1,919,173 | $2,067,813 |
While these are the official penalty amounts, OCR issued a Notice of Enforcement Discretion in April 2019 following a reassessment of the language of the HITECH Act. OCR determined that the language of the HITECH Act had been misinterpreted and reduced the maximum penalties in three of the four penalty tiers (1-3) as well as the annual penalty caps in tiers 1-3. The Notice of Enforcement Discretion remains in effect, so the minimum and maximum penalties that OCR is applying, per its Notice of Enforcement Discretion, are as follows:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
| Penalty Tier | Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Cap |
| Tier 1 | Lack of knowledge | $137 | $34,464 | $34,464 |
| Tier 2 | Reasonable cause | $1,379 | $68,928 | $137,886 |
| Tier 3 | Willful neglect (corrected within 30 days) | $13,785 | $68,928 | $344,369 |
| Tier 4 | Willful neglect (not corrected within 30 days) | $68,928 | $68,928 | $2,067,813 |
