/>iThe Department of Health and Human Services has announced that it is lowering the maximum amount it will assess for most types of HIPAA violations. Although the change is couched as an exercise of discretion, HHS states that it is basing the modifications on a change in its interpretation of the penalty provisions set forth in the Health Information Technology for Economic and Clinical Health Act (HITECH) Act.
The practical effect of these modifications will depend on the extent to which HHS seeks to impose penalties on covered entities and business associates for offenses that did not result from willful neglect and that have not been appropriately corrected. The change in penalties does not alter the basic advice to health care providers and health plans: continue to maintain appropriate safeguards against violations of HIPAA’s privacy and security rules and take prompt action in the event of a breach.
As revised, the maximum annual penalty that HHS will assess for any type of HIPAA violation will vary with the entity’s culpability. Previously, this variation applied only to the minimum penalty for each particular violation.
Civil Monetary Penalties |
||
|
Nature of Offense |
Prior Penalty Limits |
New Penalty Limits |
|
Did not know and by exercising reasonable diligence would not have known of violation |
$100 to $50,000 per violation Up to $1.5 million per type per year |
$100 to $50,000 per violation Up to $25,000 per type per year |
|
Violation due to reasonable cause |
$1,000 to $50,000 per violation Up to $1.5 million per type per year |
$1,000 to $50,000 per violation Up to $100,000 per type per year |
|
Willful neglect but corrected problem |
$10,000 to $50,000 per violation Up to $1.5 million per type per year |
$10,000 to $50,000 per violation Up to $250,000 per type per year |
|
Willful neglect but did not correct problem |
$50,000 per violation Up to $1.5 million per type per year |
$50,000 per violation Up to $1.5 million per type per year |
