HIPAA penalties vary depending on the type of conduct involved. (45 CFR § 160.404). Under HHS’s prior interpretation, the types of violations were all subject to an annual maximum penalty of $1,500,000 for identical types of violations. (Id.).
On April 30, 2019, HHS exercised its discretion to lower the annual cap for certain types of penalties as set forth in the following chart:
| Culpability |
Minimum Penalty per Violation |
Maximum Penalty per Violation |
Annual Limit for Identical Violations |
| Person did not know, and by exercising reasonable diligence would not have known, that person violated HIPAA |
$100
$114 per most
recent inflation
adjustment |
$50,000
$57,051 per
most recent
inflation
adjustment |
$25,000
$28,525 per most
recent inflation
adjustment |
| The violation was due to reasonable cause, not willful neglect |
$1,000
$1,141 per
most
recent inflation
adjustment |
$50,000
$57,051 per
most recent
inflation
adjustment |
$100,000
$114,102 per
most recent
inflation
adjustment |
| Person acted with willful neglect, but corrected the violation within 30 days |
$10,000
$11,182 per
most recent
inflation
adjustment |
$50,000
$57,051 per
most recent
inflation
adjustment |
$250,000
$285,255 per
most recent
inflation
adjustment |
| Person acted with willful neglect and failed to correct the violation within 30 days |
$50,000
$57,051 per
most recent
inflation
adjustment |
$50,000
$57,051 per
most recent
inflation
adjustment |
$1,500,000
$1,711,533 per
most recent
inflation
adjustment |
Before you get too excited about the reduced annual cap, you should remember the following:
- The penalty amounts are subject to annual cost of living adjustments. (45 CFR §§ 102 and 160.404(a); see 83 FR 51378).
- The new annual caps only apply to identical violations. A single act or omission may result in different violations that are not identical. For example, an impermissible disclosure may violate separate HIPAA requirements, each of which may trigger a different penalty and separate annual cap. (45 CFR § 160.406). Also, the Office for Civil Rights (“OCR”) may impose a separate penalty for each individual whose information was improperly accessed or disclosed. (71 FR 8404-07). In the case of a continuing violation (e.g., the failure to implement a required safeguard or obtain a required business associate agreement), a separate violation occurs each day the covered entity or business associate is in violation of the provision. (45 CFR § 160.406).
- If an entity does not act with willful neglect and corrects the violation within 30 days after the covered entity or business associate knew, or by exercising reasonable diligence, would have known of the violation, the OCR may not impose a penalty; such correction is an affirmative defense to penalties. (45 CFR § 160.410(c)). On the other hand, if the entity acts with willful neglect, the relevant penalty is mandatory. (45 CFR § 160.404(b)(iii)-(iv); 75 FR 40876).
- A covered entity or business associate is vicariously liable for the violations of their respective agents, including workforce members or business associates acting within the scope of their agency under the federal common law of agency. (45 CFR § 160.402(c)).
In short, HIPAA penalties may add up quickly despite the reduced annual cap on identical types of violations. Covered entities and business associates must ensure that they continue to comply with HIPAA, avoid acting with “willful neglect” at all costs, and correct any violations within 30 days to invoke the affirmative defense to penalties.
