The Department of Health and Human Services (HHS) adjusted the monetary penalties it imposes on healthcare providers, health plans and their business associates for violating the Health Insurance Portability and Accountability Act (HIPAA), lowering the annual cap for the least-severe violation from $1.5 million to $25,000.
HHS said the new tier structure is based on culpability and sets different annual limits for fines based on four penalty tiers, according to a notice of enforcement discretion (PDF) issued Friday. Healthcare organizations that have taken steps to comply with HIPAA requirements or work quickly to mitigate violations face a smaller maximum penalty than organizations found neglectful.
Prior to the changes, the annual limit was $1.5 million for every tier.
Through its latest enforcement, HHS adjusted the fine structure to match the increasing levels of culpability.
The penalty structure is now:
- Tier 1 (no knowledge of violation): $100 to $50,000 per violation; capped at $25,000 per year
- Tier 2 (reasonable cause): $1,000 to $50,000 per violation; capped at $100,000 per year
- Tier 3 (willful neglect, corrected): $10,000 to $50,000 per violation: capped at $250,000 per year
- Tier 4 (willful neglect, not corrected): $50,000 per violation; capped at $1.5 million per year