Lower Maximum Penalties for HIPAA Violations Takes Immediate Effect

May 8, 2019 | Client Alerts

Health care providers may be able to sleep a little easier as the Department of Health and Human Services (HHS) recently announced that it has lowered the maximum civil monetary penalties that can be assessed for certain HIPAA violations.

In 2013, HHS adopted a penalty tier structure which varied based on a health care provider's culpability and mitigation efforts in connection with a HIPAA breach. To address some internal inconsistencies identified in the rulemaking process, HHS adopted a $1.5 million maximum for every penalty tier.

Citing the move as "a matter of enforcement discretion," HHS announced on April 29, 2019, that the $1.5 million maximum for all penalty tiers would be significantly reduced for three of the four penalty tiers. The chart set forth below describes each tier, the previous maximum penalty, and the new maximum penalty. HHS indicated that the new annual limit would be adjusted annually for inflation.

Because the risk of a HIPAA breach is largely a question of "when" and not "if," the prior annual limits for the lower tiers were particularly draconian and inequitable. With a significantly lower annual limit for these lower tier breaches, providers will have greater incentive to take appropriate measures to implement risk management and institute self-imposed corrective action.The announcement comes in the wake of unprecedented HIPAA fines. In 2018, the Office of Civil Rights (which oversees HIPAA enforcement) set a new record by levying a total of $28.7 million in judgments, fines, and settlements. Among those settlements included the largest settlement in history - $16 million with Anthem, Inc. for the 2014-2015 cyber attacks which affected almost 79 million individuals.The new penalty tier structure took effect on April 30, 2019, and will remain in effect indefinitely. HHS also indicated that it intends to engage in future formal rulemaking to revise the penalty tiers, but did not indicate whether such rulemaking activity would be undertaken to formalize the newly-announced structure or to make more significant changes.
This website uses cookies to enhance user experience and to analyze traffic. To learn more about cookies and how we use them, please review our Privacy Policy. To continue use of this website, you must provide your consent to its use of cookies by clicking the "Accept" button.