Alert – HHS Lowers HIPAA Annual Penalty Cap

Jay D. Reyero | 5.1.19

Alert – HHS Lowers HIPAA Annual Penalty Cap
On April 23, the Department of Health and Human Services (“HHS”) issued a notice of enforcement discretion to reduce the annual civil penalties some violators may face under the Health Insurance Portability and Accountability Act (“HIPAA”).
The Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 previously strengthened HIPAA enforcement provisions by creating greater civil monetary penalties based on a violator’s level of responsibility or culpability. These levels are broken into four tiers, the lowest applying to a party with “no knowledge” of the violation followed by a penalty applying as a result of “reasonable cause” of the party. The two highest tiers involve violations resulting from “willful neglect” and those who did not take timely action to correct the willful neglect.
Under current rules the maximum penalty and annual penalty cap are the same for all violations with a $50,000 maximum per violation and $1.5 million annual limit. Under the new enforcement discretion, HHS has restructured the annual limits to be more in line with the language and intent of HITECH. Therefore, violations for “no knowledge” will be limited to $25,000 annually, “reasonable cause” will be limited to $100,000 annually, and “corrected willful neglect” will be limited to $250,000 annually. The annual limit for uncorrected “willful neglect” remains unchanged at $1.5 million. The maximum and minimum penalties per violation will remain the same for all tiers. It is important to note that while these new tiered amounts may reduce exposure from HHS imposed civil penalties, it does not affect or cap any civil damages an individual could recover under state causes of action.
In addition to providing a more proportionate penalty for violations this change should help to further incentivize HIPAA covered entities to take appropriate steps to increase their security and compliance. By implementing more thorough compliance plans covered entities have a chance to substantially limit the potential penalties if a violation should occur. If you or your organization have any questions on HIPAA compliance or how this announcement affects you please contact Jay D. Reyero at


Sign up to stay in the know

I want to receive business and health care legal insights delivered right to my inbox.