Fines for HIPAA violations in which the affected party had no knowledge of nor culpability in the privacy breach will now be capped at $25,000, a fraction of the previous $1.5 million limit, according to a new notice of enforcement discretion from the HHS.
The update, issued on April 26, is not an amendment to HIPAA, but merely a new interpretation of the existing fine structure in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which amended HIPAA in 2009. The previous reading of those provisions saw a total annual fine limit of $1.5 million for all HIPAA violations, regardless of the level of culpability.
Under the new interpretation, breaches will be penalized under one of four tiers.
1. Parties completely absolved of all culpability in the breach will be fined a maximum of $25,000 per year.
2. Those who did not willfully violate HIPAA but experienced a breach due to "reasonable cause" will be limited to $100,000 in annual fines.
3. Breaches that occurred due to "willful neglect" but were rectified in a timely manner will be fined up to $250,000.
4. The $1.5 million yearly cap will still apply to the highest-tier violations, which are caused by willful neglect and are not corrected as soon as possible.
Under the previous total fine cap of $1.5 million, HHS collected a record amount in HIPAA fines in 2018: a total of $28.7 million, including the largest-ever individual settlement of $16 million, with health insurer Anthem.