inflation hits penalties

HIPAA Penalties Updated in 2023

It’s worth revisiting how much noncompliance can cost because the civil money penalties (CMP) for HIPAA violations have just been adjusted upward for inflation by the U.S. Department of Health and Human Services (HHS).

HIPAA Penalties are on a Sliding Scale

It’s important to remember that penalties are on a four-tier sliding scale; the worse the violation, the higher the penalty.

Last week the minimum penalty per “unknowing” violation was $127; this week the minimum is $137. The next level up, for a violation due to reasonable cause but not willful neglect, is $1,379 per violation. The potential maximum per violation at both levels is a whopping $68,928, while the annual cap is $2,067,813. There are two additional levels for more serious violations; all four of them are outlined below.

The Federal Register Contains Formal Law

In 2019 under the prior penalty structure, HHS decided that the annual cap should not be the same for all four tiers. However, the penalty chart was not officially changed in the Federal Register. Instead, HHS issued a Notice of Enforcement Discretion (NED), indicating that the Office for Civil Rights (OCR) would apply a different penalty structure for the annual penalty caps.

This led to confusion because the NED suggested the law had changed, but it hadn’t. The 2019 HHS Notice of Enforcement Discretion is not formal law.

The chart below reflects current law in the Federal Register.

Table of Civil Money Penalties for HIPAA Violations Adjusted for Inflation effective October 6, 2023

Tiers 1 through 4 – from Least to Most Serious

Minimum Penalty per Violation

Maximum Penalty per Violation

CMP Limit for Identical Violations in a Calendar Year

Tier 1.  Unknowing Violation

Lack of knowledge

$137 $68,928 $2,067,813
Tier 2. Violation Due to Reasonable Cause 

Reasonable cause and not willful neglect

$1,379 $68,928 $2,067,813
Tier 3.  Violation Due to Willful Neglect and Corrected within 30 Days

Willful neglect but was corrected promptly

$13,785 $68,928 $2,067,813
Tier 4.  Violation Due to Willful Neglect and Not Corrected

Willful neglect but was not corrected within 30 days

$68,928 $2,067,813 $2,067,813

Reference: 88 Fed. Reg. 69531 (Oct. 6, 2023)

HIPAA Enforcement Today

OCR’s top priorities in 2023 are website tracking breaches and the right of access rule.

OCR is required to investigate all healthcare data breaches that affect 500 or more individuals, but they also investigate complaints. Once an investigation begins, OCR might uncover other violations. Most common problems OCR discusses in its settlement announcements include failure to conduct a risk analysis, failure to follow the Security Rule and failure to provide adequate workforce training.

If OCR believes there is criminal conduct they will refer it to the Department of Justice for investigation and criminal enforcement.

The FTC, the States and Private Lawsuits

OCR is serious about enforcement. But enforcement can also come from other sources.

The Federal Trade Commission (FTC) is amping up enforcement of health privacy rules. In some cases the FTC coordinates with OCR (website tracking) while in other cases it pursues investigations on its own (GoodRx, BetterHelp and Premom).

The HITECH Act of 2009 gave State Attorneys General authority to enforce the HIPAA Privacy and Security Rules. The most recent example is the Blackbaud breach which resulted in a $50 million settlement.

Private civil lawsuits are on the rise. Although HIPAA does not provide a private right to sue, if protected health information (PHI) is breached plaintiffs can sue under state privacy and consumer protection laws and use HIPAA as a standard to prove negligence if the defendant did not comply.

Avoid and Reduce HIPAA Penalties with Compliance

The best defense against expensive investigations and lawsuits is strong HIPAA compliance. Up to date policies, annual Risk Analysis and workforce training are essential.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU