In a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties issued on April 23, 2019, the Department of Health and Human Services (HHS) exercised “its discretion in how it applies HHS regulations concerning the assessment of Civil Money Penalties (CMPs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as such provision was amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act” to reduce the maximum annual fines it will impose for HIPAA violations.

Current HHS regulations apply the same cumulative annual CMP limit across four categories of violations based on the level of culpability. As a matter of enforcement discretion, and pending further rulemaking, HHS will now apply a different cumulative annual CMP limit for each of the four penalties tiers in the HITECH Act.

HIPAA formerly had an annual upper limit of $1.5 million for each of four culpability tiers, as shown below:

Upon further review of the statute by the HHS Office of the General Counsel, HHS has now determined that the better reading of the HITECH Act is to apply graduated annual limits:

HHS stated that it will use this penalty tier structure, as adjusted for inflation, until further notice.

What does this mean for HIPAA covered entities?  Keep at your compliance efforts, and act quickly to mitigate incidents, as doing so can help your covered entity from falling into the higher penalty categories.