HHS Announces Reduced Annual Limits on Civil Money Penalties for Most HIPAA Violations

Published On May 6, 2019 | By Michelle Anderson and Jason Wool | Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

The Department of Health and Human Services (“HHS”) recently issued a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties (“CMPs”) in which it lowered the maximum annual fines that can be assessed against covered entities and business associates under the Health Insurance Portability and Accountability Act (“HIPAA”) for lower-level categories of violations. The annual limit for violations due to uncorrected willful neglect remains the same, at $1.5 million, while the limits for the other levels of violations were lowered, as shown in the table below.

Because most HIPAA enforcement actions are settled, and fines occur only in a minority of instances, it is unclear what the practical impact of these lowered penalties will be. That said, in light of the record-breaking year that HHS had in 2018, with HIPAA settlements totaling more than $28 million, this is good news for businesses subject to HIPAA. In the event they are subject to a CMP, their risk of liability will be reasonably limited, provided that they do not engage in uncorrected willful neglect. And even when a CMP is not imposed, this announcement reinforces HHS’ position that it will take culpability into account in its enforcement actions. 

Culpability Minimum Penalty/ ViolationMaximum Penalty/ViolationAnnual Limit
No Knowledge$100$50,000$25,000
Reasonable Cause$1,000$50,000$100,000
Willful Neglect – Corrected$10,000$50,000$250,000
Willful Neglect – Not Corrected$50,000$50,000$1,500,000

There are currently four categories for HIPAA violations, with increasing penalty tiers based on the level of culpability associated with the violation:

  1. the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
  2. the violation was due to reasonable cause, and not willful neglect;
  3. the violation was due to willful neglect that is timely corrected; and
  4. the violation was due to willful neglect that is not timely corrected.

HHS is planning to use this tier structure “until further notice,” but it does plan to engage in future rulemakings on this issue.

About The Authors

Michelle Anderson counsels clients on a range of privacy, security, and consumer protection matters. She works closely with clients to understand their goals and risk profiles to help develop strategies for compliance with domestic and international privacy and security laws and regulations.

Jason Wool’s practice focuses on cybersecurity, including cyber risk management, incident response, and compliance with global data protection laws, regulations, and standards, including the PCI-DSS. He has advised organizations ranging from small businesses to Fortune 500 companies during complex, privileged computer crime investigations; provided ongoing advice on the development of cybersecurity programs and cybersecurity governance structures; conducted tabletop exercises and other data breach simulations; and assisted clients with large scale audits to determine compliance with complex cybersecurity standards.