Effective January 17, 2020, civil money penalties for certain violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have been adjusted for inflation by the Department of Health and Human Services (HHS), as required by the Federal Civil Penalties Inflation Adjustment Act of 1990, as amended by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 (Inflation Adjustment Act). The final regulations provide for the following tiers of penalties:
- Did not know (and by exercising reasonable diligence would not have known) – minimum $119, maximum $59,522
- Reasonable cause, not willful neglect – minimum $1,191, maximum $59,522
- Willful neglect, but corrected in 30 days – minimum $11,904, maximum $59,522
- Willful neglect, not corrected in 30 days – minimum $59,522, maximum $1,785,651
The penalty amounts are applied per violation. Each tier is subject to a calendar year cap of $1,785,651.
The inflation-adjusted penalty amounts apply to prospective assessments of penalties after the effective date, but only to violations of HIPAA occurring on or after November 2, 2015 (which was the effective date of the Inflation Adjustment Act). For assessments prior to January 17, 2020, the 2019 inflation-adjusted amounts would apply as long as the violations occurred on or after November 2, 2015. For violations that occurred before November 2, 2015, the prior penalty amounts without inflation adjustment will continue to apply. For information on HHS’ HIPAA enforcement process, go to the HHS website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html.
