The Department of Health and Human Services has announced that it is lowering the maximum amount it will assess for most types of HIPAA violations. Although the change is couched as an exercise of discretion, HHS states that it is basing the modifications on a change in its interpretation of the penalty provisions set forth in […]Additional Information »

The Department of Health and Human Services has announced that it is lowering the maximum amount it will assess for most types of HIPAA violations. Although the change is couched as an exercise of discretion, HHS states that it is basing the modifications on a change in its interpretation of the penalty provisions set forth in the Health Information Technology for Economic and Clinical Health Act (HITECH) Act.

As revised, the maximum annual penalty that HHS will assess for any type of HIPAA violation will vary with the entity’s culpability. Previously, this variation applied only to the minimum penalty for each particular violation.

Civil Monetary Penalties

Nature of Offense

Prior Penalty Limits

New Penalty Limits

Did not know and by exercising reasonable diligence would not have known of violation

$100 to $50,000 per violation

Up to $1.5 million per type per year

$100 to $50,000 per violation

Up to $25,000 per type per year

Violation due to reasonable cause

$1,000 to $50,000 per violation

Up to $1.5 million per type per year

$1,000 to $50,000 per violation

Up to $100,000 per type per year

Willful neglect but corrected problem

$10,000 to $50,000 per violation

Up to $1.5 million per type per year

$10,000 to $50,000 per violation

Up to $250,000 per type per year

Willful neglect but did not correct problem

$50,000 per violation

Up to $1.5 million per type per year

$50,000 per violation

Up to $1.5 million per type per year

The practical effect of these modifications will depend on the extent to which HHS seeks to impose penalties on covered entities and business associates for offenses that did not result from willful neglect and that have not been appropriately corrected. The change in penalties does not alter the basic advice to health care providers and health plans: continue to maintain appropriate safeguards against violations of HIPAA’s privacy and security rules and take prompt action in the event of a breach.

Ballard Spahr attorneys established the Health Care Reform Dashboard as a one-stop resource under the Affordable Care Act. We have expanded the scope of the Dashboard to extend to certain other laws, but continue the mission of providing our readers with information about significant changes affecting health care and health benefits in the United States and to establish a repository for analysis and original source material of significant developments that have occurred over time. Change is ongoing, and we will continue to update the Dashboard to reflect new legislation, administrative guidance, and judicial decisions as they are published.