Source - Privacy and Data Security Alert | May 2019

HHS Lowers Cumulative Annual Limits for HIPAA Violations

The U.S. Department of Health and Human Services (HHS) has issued revised monetary-penalty limits for Health Insurance Portability and Accountability Act (HIPAA) violations by covered entities. Under the revisions, the maximum annual penalty for violations per tier of culpability would be:

Culpability  Old Annual Limit  New Annual Limit 
No Knowledge  $1,500,000 $25,000
Reasonable Cause $1,500,000 $100,000
Willful Neglect - Corrected $1,500,000 $250,000
Willful Neglect - Not Corrected $1,500,000 $1,500,000

While each tier is capped, an entity can violate multiple tiers depending on the circumstances of violation. Accordingly, the Office of Civil Rights (OCR) can issue penalties up to the annual limit for more than one tier.

TAKEAWAY: The revised monetary-penalty limits are consistent with the decreased enforcement activity we have seen from the OCR in the last few years.

Read the HHS Notification and FAQs >>

Read more in the full May issue of the Privacy and Data Security Client Alert.