On April 30, 2019, HHS exercised its discretion in how it applies the regulations related to HIPAA privacy and security violations. As background, in 2009, the HITECH Act set penalty limits based on four tiers of knowledge and intention. Each tier had a maximum penalty of $1.5 million per calendar year when the violations were of an identical requirement or prohibition. The new guidance, found in the Federal Register, reduces the maximum annual penalty to the following amounts per tier:

•No knowledge: The covered entity did not know, and by exercising due diligence, would not have known they violated a provision. Maximum annual penalty is now $25,000.
•Reasonable cause and not willful neglect: The covered entity had knowledge of the violation, but lacked conscious intent and reckless indifference. Maximum annual penalty is now $100,000.
•Corrected willful neglect: The covered entity had knowledge of the violation, acted with conscious intent or indifference, and corrected the violation within 30 days of having knowledge. Maximum annual penalty is now $250,000.
•Willful neglect and not corrected: The covered entity had knowledge of the violation, acted with conscious intent or indifference, and did not correct the violation within 30 days of having knowledge. Maximum annual penalty remains $1.5 million.

The changes are effective immediately. HHS expects to issue revised regulations in the future.

Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties »