HIPAA Violation Penalties Revised
By Wyn Staheli, Director of Research
May 06, 2019
On April 30, 2019 The Department of Health and Human Services (HHS) announced that “HHS will apply a different cumulative annual CMP limit for each of the four penalties tiers in the HITECH Act.” Unlike other notices which require a proposed rule with a comment period, this notice will take effect immediately because the law allows HHS to revise penalty amounts as they see fit.
To give the context to these changes, in 2013, there was a ruling which imposed a maximum annual Civil Monetary Penalty (CMP) or $1.5 million for each ‘tier’ of culpability. The following table outlines the previous and new penalties:
Keep in mind that this is a new annual limit. So if an investigation finds that this violation occurred over the course of two years, your maximum penalty could be as much as $3 million. The good news is that, if your organization did not know (and even with reasonable diligence would not have known) of the violation, your maximum penalty drops significantly.
Interestingly, HHS also stated that “HHS expects to engage in future rulemaking to revise the penalty tiers in the current regulation to better reflect the text of the HITECH Act.” There is no timeline of when to expect these proposed changes.
For those with a copy of the HIPAA Compliance 4th Edition, please update the penalty tables on pages 13 and 76 to reflect these changes.
More Articles in May 2019
2017 - View
2016 - View
2015 - View
2014 - View
2013 - View
2012 - View
2011 - View
2010 - View
2009 - View
2008 - View