Civil Monetary Penalties for HIPAA Violations Increased by HHS in Line with Inflation

In accordance with the Inflation Adjustment Act, the U.S Department of Health and Human Services has increased the civil monetary fines for breaches of HIPAA.

The final rule became enforceable on on Tuesday November 5, 2019. This rule grows the civil monetary penalties for HIPAA violations that took place on or following February 18, 2009. Under the new penalty tiers, the increases from 2018 to 2019 are detailed in the table here:

Penalty Tier Level of Culpability Minimum Penalty per Violation(2018 » 2019) Maximum Penalty per Violation(2018 » 2019) New Maximum Annual Penalty(2018 » 2019)*
1 No Knowledge $114.29 » $117 $57,051 » $58,490 $1,711,533 » $1,754,698
2 Reasonable Cause $1,141 » $1,170 $57,051 » $58,490 $1,711,533 » $1,754,698
3 Willful Neglect – Corrective Action Taken $11,410 » $11,698 $57,051 » $58,490 $1,711,533 » $1,754,698
4 Willful Neglect – No Corrective Action Taken $57,051 » $58,490 $1,711,533 » $1,754,698 $1,711,533 » $1,754,698

Penalties for HIPAA breaches that took place before February 18, 2009 have grown to $159 per breach, with a yearly cap of $39,936 per violation category.

Earlier in 2020, the HHS’ Office for Civil Rights revealed that it had cut the penalties for HIPAA violations in certain tiers after a review of the wording of the HITECH Act. The highest possible penalty for a HIPAA violation in the highest tier stayed at $1.711 million, per violation category per year. Before the review, the highest possible HIPAA violation penalty was $1.711 million in all four penalty tiers.

*The notice of enforcement discretion, revealed on April 30, 2019, capped the maximum yearly penalties at $10,000 (Tier 1), $100,000 (Tier 2), $250,000 (Tier 3), and $1,711,533 (Tier 4). The notice of enforcement discretion revealed that the reviewed penalty tiers would also be changed in line with inflation. The multiplier used by OCR to estimate the cost-of-living increases was based on the Consumer Price Index for all Urban Consumers (CPI–U) for October 2019, which was 1.02522. That would make the new highest possible penalties under the notice of enforcement discretion $25,630.5 (Tier 1), $102,522 (Tier 2), $256,305 (Tier 3), and $1,754,698 (Tier 4).

While OCR’s notice of enforcement discretion says that OCR will be implementing the new, revised penalties, this has yet to be made official and is pending additional rulemaking. The notification of enforcement discretion establishes no legal obligations and no legal rights, so OCR could therefore legally use the above highest possible amount of $1,754,698 per violation category, per year across all penalty ranges.

Complete details of the new penalty ranges have been published in the Federal Register for all agencies, including the FDA, ACF, HRSA, AHRQ, OIG, CMS, and OCR and can be seen here (PDF).

HIPAA Violation Penalties

Most Common HIPAA Violations Causes