The maximum penalty for violating HIPAA is currently $1,919,173 (September 2022). However, this figure represents the maximum penalty per violation type, and Covered Entities and Business Associates found guilty of multiple violations can expect to pay much more.
When Congress passed HIPAA in 1996, it set the maximum penalty for violating HIPAA at $100 per violation with an annual cap of $25,000. These limits were applied when the Department of Health & Human Services (HHS) published the Enforcement Rule in 2006 and they stayed in force until the publication of the Final Omnibus Rule in 2013.
Among other changes to HIPAA, the Final Omnibus Rule introduced amendments to the Enforcement Rule attributable to passage of the HITECH Act in 2009. The HITECH Act mandated a four tier penalty structure for HIPAA violations and new minimum and maximum penalties for violating HIPAA. The four tiers were based on the level of culpability associated with the violation:
Tier 1 – Lack of Knowledge: The person did not know (and, by exercising reasonable diligence, would not have known) that the event was a violation of HIPAA.
Tier 2 – Lack of Oversight: The violation was due to reasonable cause and not willful neglect to comply with the HIPAA regulations.
Tier 3 – Willful Neglect: The violation was due to the willful neglect of the Covered Entity or Business Associate but corrected within 30 days of discovery.
Tier 4 – Willful Neglect, Not Corrected: The violation was due to the willful neglect of the Covered Entity or Business Associate but not corrected within 30 days of discovery.
The Penalties for Violating HIPAA Change after Review
Originally, due to “inconsistent language” of the HITECH Act, HHS interpreted the new Enforcement Rule penalty structure as follows:
| Level of Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit |
| Lack of Knowledge | $100 | $50,000 | $1,500,000 |
| Lack of Oversight | $1,000 | $50,000 | $1,500,000 |
| Willful Neglect | $10,000 | $50,000 | $1,500,000 |
| Willful Neglect not Corrected within 30 days | $50,000 | $50,000 | $1,500,000 |
However, following a review of the penalty tiers by HHS´ Office of General Counsel, the annual caps were amended in 2019 to align with those mandated by HITECH.
| Level of Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit |
| Reasonable Efforts | $100 | $50,000 | $25,000 |
| Reasonable Cause | $1,000 | $50,000 | $100,000 |
| Willful Neglect – Corrected | $10,000 | $50,000 | $250,000 |
| Willful Neglect – Not Corrected within 30 days | $50,000 | $50,000 | $1,500,000 |
This resulted in the annual limit for a Tier 1 violation being less than the maximum penalty for violating HIPAA in Tier 1 – a situation that has continued as the penalties for violating HIPAA have been adjusted to account for inflation. Additionally, the maximum penalty for violating HIPAA in Tier 4 has also been increased. The current (September 2022) penalties for violating HIPAA are:
| Level of Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit |
| Lack of Knowledge | $127 | $60,973 | $30,133 |
| Lack of Oversight | $1,280 | $60,973 | $121,946 |
| Willful Neglect | $12,794 | $60,973 | $304,865 |
| Willful Neglect not Corrected within 30 days | $60,973 | $1,919,173 | $1,919,173 |
The Maximum Penalty for Violating HIPAA is per Violation Type
It is important for Covered Entities and Business Associates to be aware that the maximum penalty for violating HIPAA is per violation type. This mean that (for example), if a Covered Entity fails to conduct a risk assessment, fails to implement measures to prevent a foreseeable breach, and fails to notify patients when a breach occurs, the Covered Entity could be issued the maximum penalty for violating HIPAA three times over.
It is also important to be aware that State Attorneys General have the authority to impose civil money penalties on Covered Entities and Business Associates found to have violated HIPPA. Consequently, what a Covered Entity or Business Associate pays in penalties to HHS´ Office for Civil Rights may be substantially increased – as Anthem Inc. found out following a breach of 78.8 million records in 2015.
In addition to reaching a $16 million settlement with HHS´ Office for Civil Rights, Anthem Inc. was also fined $48.2 million by State Attorneys General in two separate cases. Additionally, a class action was brought against Anthem Inc. by individuals whose data was breached – resulting in a further $115 million settlement. Consequently, if found guilty of a HIPAA violation, the maximum penalty for violating HIPAA could be much more then the figures published annually in the Federal Register.
The post What is the Maximum Penalty for Violating HIPAA? appeared first on HIPAA Journal.