The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued final regulations adjusting civil penalties for annual inflation, including violations of the Health Insurance Portability and Accountability Act (HIPAA). These violations include those under HIPAA’s Privacy and Security Rules and are based on a four-tier penalty structure that increase according to level of culpability regarding the violation. These updated penalties went into effect November 5, 2019, and are listed in the table below:
Culpability |
Minimum Penalty/
|
Maximum Penalty/
|
Annual Limit |
|
Tier 1 |
No Knowledge; no reasonable belief to know |
$117 |
$58,490 |
$1,754,698 |
Tier 2 |
Reasonable Cause |
$1,170 |
$58,490 |
$1,754,698 |
Tier 3 |
Willful Neglect; but timely corrected |
$11,698 |
$58,490 |
$1,754,698 |
Tier 4 |
Willful Neglect; not timely corrected |
$58,490 |
$1,754,698 |
$1,754,698 |
Please Note: In April 2019, OCR issued a Notice of Enforcement Discretion that significantly changed these HIPAA violation penalties. For example, the Annual Limit increased from $25,000 for Tier 1 to $1,500,000 for Tier 4 (check out our previous blog for a re-cap). HHS stated it would engage in further rulemaking to lower these amounts but has yet to do so. Until then, the inflation of penalties above are based on an annual increase from the 2018 penalty structure prior to the Notice.
The information and content contained in this blog post are for general informational purposes only, and does not, and is not intended to, constitute legal advice.