The U.S. Department of Health and Human Services (HHS) published a final rule increasing the civil monetary penalties for violations of the HIPAA Privacy and Security Rules, on October 6, 2023. HHS is required to adjust these penalties for inflation yearly to improve their effectiveness and maintain their deterrent effect. The new penalty amounts apply to penalties assessed on or after October 6, 2023.
Since HIPAA’s penalties are substantial, employers with group health plans should periodically review their compliance with the Privacy and Security Rules.
Potential penalties for HIPAA violations depend on the type of violation involved. Penalties are broken down into “tiers” that reflect increasing levels of culpability. Each tier carries a minimum and maximum penalty with an annual cap, all of which have increased as follows:
- Tier One: For violations where the covered entity or business associate did not know about the violation (and by exercising reasonable diligence, would not have known about the violation), the penalty amount is between $137 and $68,928 for each violation, with an annual cap of $2,067,813.
- Tier Two: If the violation is due to reasonable cause, the penalty amount is between $1,379 and $68,928 for each violation, with an annual cap of $2,067,813.
- Tier Three: For corrected violations that are caused by willful neglect, the penalty amount is between $13,785 and $68,928 for each violation, with an annual cap of $2,067,813.
- Tier Four: For violations caused by willful neglect that are not corrected, the penalty amount is $68,928 for each violation, with an annual cap of $2,067,813.
Common HIPAA Vilations
According to HHS, the compliance problems most frequently reported under HIPAA are:
- Impermissible uses or disclosures of protected health information (PHI)
- Lack of patient access to their PHI
- Lack of administrative safeguards for electronic PHI
- Lack of safeguards on PHI
- Use or disclosure of more than the minimum necessary PHI
HHS’ Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. OCR’s investigations are often triggered by individuals’ complaints to HHS regarding HIPAA violations and breach notification reports. When OCR determines that a HIPAA violation has occurred, it will often pursue a resolution agreement rather than imposing civil penalties. A resolution agreement typically requires a covered entity or business associate to take corrective action and pay a settlement amount, which is usually much less than the applicable penalty amount.
However, if the covered entity or business associate does not take action to resolve the matter in a way that is satisfactory, OCR may decide to impose civil penalties. If penalties are imposed, the covered entity or business associate may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case.
Material posted on this website is for informational purposes only and does not constitute a legal opinion or medical advice. Contact your legal representative or medical professional for information specific to your legal or medical needs.