It’s worth revisiting how much noncompliance can cost because the civil money penalties (CMP) for HIPAA violations have just been adjusted upward for inflation by the U.S. Department of Health and Human Services (HHS).
HIPAA Penalties are on a Sliding Scale
It’s important to remember that penalties are on a four-tier sliding scale; the worse the violation, the higher the penalty.
Last week the minimum penalty per “unknowing” violation was $127; this week the minimum is $137. The next level up, for a violation due to reasonable cause but not willful neglect, is $1,379 per violation. The potential maximum per violation at both levels is a whopping $68,928, while the annual cap is $2,067,813. There are two additional levels for more serious violations; all four of them are outlined below.
The Federal Register Contains Formal Law
In 2019 under the prior penalty structure, HHS decided that the annual cap should not be the same for all four tiers. However, the penalty chart was not officially changed in the Federal Register. Instead, HHS issued a Notice of Enforcement Discretion (NED), indicating that the Office for Civil Rights (OCR) would apply a different penalty structure for the annual penalty caps.
This led to confusion because the NED suggested the law had changed, but it hadn’t. The 2019 HHS Notice of Enforcement Discretion is not formal law.
The chart below reflects current law in the Federal Register.
|Table of Civil Money Penalties for HIPAA Violations Adjusted for Inflation effective October 6, 2023|
Tiers 1 through 4 – from Least to Most Serious
Minimum Penalty per Violation
Maximum Penalty per Violation
CMP Limit for Identical Violations in a Calendar Year
|Tier 1. Unknowing Violation |
Lack of knowledge
|Tier 2. Violation Due to Reasonable Cause |
Reasonable cause and not willful neglect
|Tier 3. Violation Due to Willful Neglect and Corrected within 30 Days |
Willful neglect but was corrected promptly
|Tier 4. Violation Due to Willful Neglect and Not Corrected |
Willful neglect but was not corrected within 30 days
Reference: 88 Fed. Reg. 69531 (Oct. 6, 2023)
HIPAA Enforcement Today
OCR is required to investigate all healthcare data breaches that affect 500 or more individuals, but they also investigate complaints. Once an investigation begins, OCR might uncover other violations. Most common problems OCR discusses in its settlement announcements include failure to conduct a risk analysis, failure to follow the Security Rule and failure to provide adequate workforce training.
If OCR believes there is criminal conduct they will refer it to the Department of Justice for investigation and criminal enforcement.
The FTC, the States and Private Lawsuits
OCR is serious about enforcement. But enforcement can also come from other sources.
The Federal Trade Commission (FTC) is amping up enforcement of health privacy rules. In some cases the FTC coordinates with OCR (website tracking) while in other cases it pursues investigations on its own (GoodRx, BetterHelp and Premom).
The HITECH Act of 2009 gave State Attorneys General authority to enforce the HIPAA Privacy and Security Rules. The most recent example is the Blackbaud breach which resulted in a $50 million settlement.
Private civil lawsuits are on the rise. Although HIPAA does not provide a private right to sue, if protected health information (PHI) is breached plaintiffs can sue under state privacy and consumer protection laws and use HIPAA as a standard to prove negligence if the defendant did not comply.