HHS makes significant reductions to the maximum penalties for HIPAA violations

May 1, 2019

The Department of Health and Human Services has made significant modifications to a 2013 civil monetary penalty (CMP) rule for violations of the Health Insurance Portability and Accountability Act HIPAA by reducing the maximum fines healthcare providers would have to pay on nearly all infractions except the most severe. In 2009, congress passed the HITECH Act, as part of the American Recovery and reinvestment Act, to bolster HIPAA enforcement with higher minimum and maximum potential CMPs.

Upon further review of the statute by the HHS Office of the General Counsel, the agency said it had determined that a better reading of the HITECH Act of 2009, which categorizes culpability and penalties into four tiers, or types, is to apply annual limits on all three except for willful neglect without correction. Prior to the current change, all four tiers shared that same maximum penalty.

Willful neglect, without timely correction, will continue to have a maximum annual penalty of $1.5 million, while other, less serious breaches, have been reduced significantly for an unspecified duration.  HHS announced it will use the following penalty tier structure, as adjusted for inflation, until further notice: