HHS Lowers Maximum Fines Set for HIPAA Violations

HHS Lowers Maximum Fines Set for HIPAA Violations

The US Department of Health and Human Services (HHS) announced last week that it is capping the civil monetary penalties that can be assessed to covered entities, business associates, and health plans for HIPAA violations. This regulation bases a new tier structure on a covered entity’s “level of culpability,” according to HHS. For example, it lowers the annual cap for the least severe violations from $1.5 million to $25,000.

By switching to a penalty system that’s based on a covered entity’s “level of culpability,” HHS will now assess penalties based on whether an organization has taken steps to comply with HIPAA requirements, such as conducting risk analyses, or whether it has willfully ignored such requirements or is found to be neglectful. In 2013, the HITECH Act strengthened the HHS Office for Civil Rights’ enforcement and set a static upper limit of $1.5 million per year that an issue was present. However, in the new regulation, HHS acknowledges that HITECH’s penalty tier system included “apparently inconsistent language,” which led to confusion.

“Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits” based on level of culpability the new HHS notice states.

The new annual caps, which are set on an interim basis pending new rulemaking, are:

  • Tier 1: $100-$50,00 per violation, capped at $25,000 per year the issue persisted
  • Tier 2: $1,000-$50,000 per violation, capped at $100,000 per year the issue persisted
  • Tier 3: $10,000-$50,000 per violation, capped at $250,000 per year the issue persisted
  • Tier 4: $50,000 per violation, capped at $1.5 million per year the issue persisted

In an interview with Fierce Healthcare, Matthew Fisher, a partner with Boston-based law firm Mirick O’Connell said this change, while inconsistent with the direction of recent OCR settlements, is a good thing.

“If a violation was clearly unintentional and without knowledge, why should a potentially massive fine follow. While the discretion existed, the interpretation will now be binding and remove the potential uncertainty,” Fisher said.

Mary Butler is associate editor at Journal of AHIMA.


  1. So many physician’s offices hire someone with minimal experience to keep their overhead cost down. Maybe to help physician’s offices, a HIPPA EXPERT to offer
    a group of practices to assist, monitor and train the office how to abide by the HIPAA
    RULE AND REGULATIONS. The physicians as a group pay the expert a annuak fee but ut is split among the group.

  2. Am guessing the Tier 1 penalty is a typo error. Tier 1: $100-$50,00
    Thank you for what you do.

    1. Hello! Regarding the typo comment: I was changing my HIPAA slide presentation and looked at the official government document on the link above. The official government document says the minimum for tier 1 no knowledge is $100/ violation with a maximum of $50,000/ violation. Column 3 for annual limit says $25,000. (See page 7- Table 2) This author entered in just what the government put. Someone at the government level didn’t catch that column 2 for the maximum per violation cannot be $50,000 if the annual maximum is only $25,000.

Comments are closed.