HIPAA Penalties

The Department of Health and Human Services (HHS) recently published a notice announcing its decision to lower the maximum annual penalties that can be imposed for most violations of the Heath Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

Background

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in 2010, expanded the obligations of covered entities and their business associates under HIPAA and changed the way that civil monetary penalties could be imposed for violations of the HIPAA Privacy and Security Rules. HITECH varied penalties based on the level of culpability associated with the violation.

Regulations implementing HITECH set out four tiers of penalties, with minimums and maximums for each tier and an annual limit for all violations of the same requirement.

How the Annual Limits for Violations of the Same Requirement Will Change

Under the new approach, the annual limits for the first three tiers will be significantly lower, as shown in the table below.

Annual Limit for Violations of the Same Requirement
Level of Culpability	Under Current Regulations	Under the New Approach
No Knowledge that Conduct Violated Law (and, by Exercising Reasonable Diligence, Would Not Have Known)	$1.5 million	$25,000
Reasonable Cause (and Not Willful Neglect)	$1.5 million	$100,000
Willful Neglect (but Corrected Within Certain Time Frame)	$1.5 million	$250,000
Willful Neglect (and Not Corrected)	$1.5 million	$1.5 million

In the notice, HHS states that its new approach better reflects the language in the HITECH Act. At some point, HHS will issue new regulations incorporating the lower penalty amounts. Until then, HHS will follow this new approach as a matter of its enforcement discretion.

Per-Violation Penalties Will Not Change

The recent HHS announcement does not affect the per-violation penalties, which are noted in the table below.

Minimum and Maximum Penalties Per Violation
Level of Culpability	Minimum	Maximum
No Knowledge that Conduct Violated Law (and, by Exercising Reasonable Diligence, Would Not Have Known)	$100	$50,000
Reasonable Cause (and Not Willful Neglect)	$1,000	$50,000
Willful Neglect (but Corrected Within Certain Time Frame)	$10,000	$50,000
Willful Neglect (and Not Corrected)	$50,000

Implications for Plan Sponsors

HHS has rarely sought to impose civil monetary penalties. Instead, HHS enforces the privacy and security rules through resolution agreements that call for payments from affected covered entities or their business associates. Many of these resolution agreements call for multi-million dollar payments, but these are not actually civil monetary penalties under the law.

While lowering most of the annual maximums is a technical change, it is possible that HHS could also lower its demands as part of future resolution agreement settlements. Nevertheless, plan sponsors should remain vigilant about complying with the HIPAA/HITECH rules. HHS has stepped up its enforcement of the rules, ending 2018 with an all-time record for HIPAA enforcement. In 2018, HHS settled 10 cases and secured one judgment (including civil monetary penalties), together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22 percent.

Information about resolution agreements that have been reached and civil monetary penalties that have been imposed is available on the HHS website.

Penalties for Violating HIPAA Privacy and Security Rules Will Be Reduced

Annual Limit for Violations of the Same Requirement

Minimum and Maximum Penalties Per Violation

Questions about this topic?

See more insights

Reporting and Disclosure Guide for Benefit Plans 2025

Most SECURE 2.0 Plan Design Options Fully Available for 2025

FSA v. HSA v. HRA Comparison Chart