Client Alerts


Wednesday, May 8, 2019

Lower Maximum Penalties for HIPAA Violations Takes Immediate Effect

Health care providers may be able to sleep a little easier as the Department of Health and Human Services (HHS) recently announced that it has lowered the maximum civil monetary penalties that can be assessed for certain HIPAA violations.

In 2013, HHS adopted a penalty tier structure which varied based on a health care provider's culpability and mitigation efforts in connection with a HIPAA breach. To address some internal inconsistencies identified in the rulemaking process, HHS adopted a $1.5 million maximum for every penalty tier.

Citing the move as "a matter of enforcement discretion," HHS announced on April 29, 2019, that the $1.5 million maximum for all penalty tiers would be significantly reduced for three of the four penalty tiers. The chart set forth below describes each tier, the previous maximum penalty, and the new maximum penalty. HHS indicated that the new annual limit would be adjusted annually for inflation.

Tier Minimum Penalty per Violation Maximum Penalty Prior Annual Limit New Annual Limit
No Knowledge $100 $50,000 $1,500,000 $25,000
Reasonable Cause $1,000 $50,000 $1,500,000 $100,000
Willful Neglect-Corrected $10,000 $50,000 $1,500,000 $250,000
Willful Neglect-Not Corrected $50,000 $50,000 $1,500,000 $1,500,000
Because the risk of a HIPAA breach is largely a question of "when" and not "if," the prior annual limits for the lower tiers were particularly draconian and inequitable. With a significantly lower annual limit for these lower tier breaches, providers will have greater incentive to take appropriate measures to implement risk management and institute self-imposed corrective action.

The announcement comes in the wake of unprecedented HIPAA fines. In 2018, the Office of Civil Rights (which oversees HIPAA enforcement) set a new record by levying a total of $28.7 million in judgments, fines, and settlements. Among those settlements included the largest settlement in history - $16 million with Anthem, Inc. for the 2014-2015 cyber attacks which affected almost 79 million individuals.

The new penalty tier structure took effect on April 30, 2019, and will remain in effect indefinitely. HHS also indicated that it intends to engage in future formal rulemaking to revise the penalty tiers, but did not indicate whether such rulemaking activity would be undertaken to formalize the newly-announced structure or to make more significant changes.

Disclaimer: The information in this post is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice from our firm or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.