HHS exercises enforcement discretion and reduces maximum civil penalties

Those who want to see HHS/OCR come down like a ton of bricks on more entities and impose heavier civil monetary penalties for HIPAA breaches will likely not be happy to learn that HHS has decided to reduce the maximum civil penalties it will impose for the four tiers of violations of HIPAA.

Under the system until now, penalties have been capped this way:

Table 1: Penalty tiers under the Enforcement Rule

Culpability Minimum Penalty/Violation Maximum Penalty/Violation Annual Limit
No Knowledge $100 $50,000 $1,500,000
Reasonable Cause $1,000 $50,000 $1,500,000
Willful Neglect – Corrected $10,000 $50,000 $1,500,000
Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

Under the revised system, the penalties are capped as shown in Table 2, below:

Table 2: Penalty Tiers under Notification of Enforcement Discretion
Culpability Minimum Penalty/Violation Maximum Penalty/Violation Annual Limit
No Knowledge $100 $50,000 $25,000
Reasonable Cause $1,000 $50,000 $1oo,000
Willful Neglect – Corrected $10,000 $50,000 $250,000
Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

HHS’s notification, which will be published in the Federal Register on April 30, explains their reasoning and justification for exercising their discretion in this way.  I’ve reproduced the notification, below.

2019-08530

About the author: Dissent