Lower Maximum Penalties for HIPAA Violations Takes Immediate Effect

May 8, 2019 | Client Alerts
CLICK HERE TO DOWNLOAD A PDF VERSION

Health care providers may be able to sleep a little easier as the Department of Health and Human Services (HHS) recently announced that it has lowered the maximum civil monetary penalties that can be assessed for certain HIPAA violations.

In 2013, HHS adopted a penalty tier structure which varied based on a health care provider's culpability and mitigation efforts in connection with a HIPAA breach. To address some internal inconsistencies identified in the rulemaking process, HHS adopted a $1.5 million maximum for every penalty tier.

Citing the move as "a matter of enforcement discretion," HHS announced on April 29, 2019, that the $1.5 million maximum for all penalty tiers would be significantly reduced for three of the four penalty tiers. The chart set forth below describes each tier, the previous maximum penalty, and the new maximum penalty. HHS indicated that the new annual limit would be adjusted annually for inflation.
Because the risk of a HIPAA breach is largely a question of "when" and not "if," the prior annual limits for the lower tiers were particularly draconian and inequitable. With a significantly lower annual limit for these lower tier breaches, providers will have greater incentive to take appropriate measures to implement risk management and institute self-imposed corrective action.The announcement comes in the wake of unprecedented HIPAA fines. In 2018, the Office of Civil Rights (which oversees HIPAA enforcement) set a new record by levying a total of $28.7 million in judgments, fines, and settlements. Among those settlements included the largest settlement in history - $16 million with Anthem, Inc. for the 2014-2015 cyber attacks which affected almost 79 million individuals.The new penalty tier structure took effect on April 30, 2019, and will remain in effect indefinitely. HHS also indicated that it intends to engage in future formal rulemaking to revise the penalty tiers, but did not indicate whether such rulemaking activity would be undertaken to formalize the newly-announced structure or to make more significant changes.
Related Team
headshot of team member Scott V. Carroll
Scott V. Carroll
Partner | Team Co-Leader - Health Care
headshot of team member Elise M. Edwards
Elise M. Edwards
Counsel
headshot of team member Brigid M. Maloney
Brigid M. Maloney
Partner | Team Co-Leader - Health Care
headshot of team member Lauren A. Suttell
Lauren A. Suttell
Partner | Team Leader - Not-For-Profit
Related Content
Words Press Release
Press Releases
Scott V. Carroll and Jameson E. Tibbs Present at the Home Care Association of New York State Corporate Compliance Symposium
November 9, 2023
black arrow pointing right
Words Press Release
Press Releases
Scott V. Carroll and Anoush Koroghlian-Scott Present at the 2023 North East Regional Urgent Care Association Conference
November 9, 2023
black arrow pointing right
Words Client Alert
Client Alerts
DEA Extends Prescriber Telemedicine Flexibilities for Additional Six Months
May 10, 2023
black arrow pointing right
Client Alerts
New Disclosure and Notice Requirements for New York Physician Practice Transactions
May 4, 2023
black arrow pointing right

Lippes Mathias LLP Logo Lippes Mathias LLP Alternate Logo
Lippes Mathias LLP White Logo


© 2024 Lippes Mathias LLP
Attorney Advertising. Prior results do not guarantee a future or similar outcome.
This website uses cookies to enhance user experience and to analyze traffic. To learn more about cookies and how we use them, please review our Privacy Policy. To continue use of this website, you must provide your consent to its use of cookies by clicking the "Accept" button.