HHS increases civil monetary penalties for HIPAA violations

The U.S. Department of Health and Human Services (HHS) increased civil monetary penalties for HIPAA administrative simplification violations on November 5 in accordance with the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.  

HHS finalized the Annual Civil Monetary Penalties Inflation Adjustment, which increases the civil monetary penalty for HIPAA violations occurring before February 18, 2009, to $159 per violation, with a $39,936 cap per calendar year. The rule also updates the civil monetary penalty for HIPAA violations occurring on or after February 18, 2009, to reflect required annual inflation-related increases to civil monetary penalties.

HHS sets annual limits (i.e., minimum and maximum penalty amounts) for civil monetary fines based on the organization's level of culpability associated with the HIPAA violation. Per the new penalty regulations:

• If it is established that the covered entity or business associate did not know and could not reasonably have known of the violation, the penalty per violation is at least $117 and at most $58,490.
• If it is established that the violation was due to reasonable cause and not willful neglect, the penalty per violation is at least $1,170 and at most $58,490. 
• If it is established that the violation was due to willful neglect but was corrected during the 30-day period running from the date the entity knew or should have known the violation had occurred, the penalty per violation is at least $11,698 and at most $58,490. 
• If it is established that the violation was due to willful neglect and not corrected during the 30-day time period, the penalty per violation is at least $58,490 and at most $1,754,698.

Additional details on the new penalty structures are available in the Federal Register.