HHS slashes maximum fines for less-severe HIPAA violations

Category: Department of Health and Human Services, HHS, HIPAA, HITECH

HHS slashes maximum fines for less-severe HIPAA violations


The Department of Health and Human Services Office of Civil Rights, which has the enforcement responsibility for HIPAA violations, has announced a cut to the maximum Civil Monetary Penalty (CMP) for most HIPAA violations.

As stated in the official notice from the OCR, released April 26, “Current HHS regulations apply the same cumulative annual (civil monetary penalty) limit across four categories of violations. As a matter of enforcement discretion and pending further rulemaking, HHS will apply a different cumulative annual CMP limit for each of the four penalties tiers in the [Health Information Technology for Economic and Clinical Health (HITECH)] Act.”

Prior to the cut, the maximum annual CMP for violations of a HIPAA provision within the same calendar year was $1.5 million across the board for all violation tiers.  The annual cap applies only to violations of a HIPAA provision in a calendar year.  This means that for violations of multiple provisions, such as the lack of a business associate agreement, the cap is doubled, at least.  In addition, the penalties are subject to adjustment for inflation. The Civil Penalties Inflation Adjustment Act of 2015 requires that HHS annually adjust penalties  for inflation by January 15 of each year.  The last adjustment was implemented by HHS Final Rule in October 2018.   The current inflation adjustment of the $1.5 million cap is $1.71 million. 

Now, the maximum fine for violations falling under the least-severe category has been cut to $25,000. The second tier maximum penalty dropped to $100,000 annually, and the third tier to $250,000. The maximum remains at $1.5 million for top-tier, most serious violations.  The inflation adjustment continues to apply as well as the cap limit applicability to a single HIPAA violation.    

The new limits were designed to fit an organization’s “level of culpability,” as described in the notice. Thus, organizations that have taken steps to comply with Health Insurance Portability and Accountability Act (HIPAA) regulations will face lower penalties than negligent organizations.

As stated in the notice, the HITECH Act created these four tiers of culpability. The recent cut to the maximum penalties comes as “a better reading of the law,” said Roger Severino, director of the Health and Human Services Office for Civil Rights (OCR), in this article from Bloomberg Law.

The reductions, however, remain subject to the prior and future adjustments for inflation.  

The OCR’s announcement raises the question of whether the change in the penalty structure is a reflection of the current objective to reduce regulatory burdens on health care providers, or whether it indicate trends toward assessment of penalties in situations that historically were enforced with technical assistance or corrective action plans or stacking of violations to increase the total Civil Monetary Penalty.    

The tiers of culpability are described in the HITECH Act as follows:

  • Tier A (no knowledge of the violation),
  • Tier B (reasonable cause),
  • Tier C (willful neglect that is corrected),
  • Tier D (willful neglect this is left uncorrected).

The cuts follow a year of record-breaking HIPAA enforcement activity in terms of overall dollar value; OCR also established a new record in 2018 for its fine of $16 million to Anthem for a data breach December 2014 through January 2015.

Go here to read the full notice from HHS.

Top of Page