HHS lowers monetary penalties for HIPAA violations

HHS has changed its regulations for civil monetary penalties (CMP) under the Health Insurance Portability and Accountability ACT of 1996 (HIPAA), effectively lowering penalties across four categories of violations.

Instead of an annual upper limit of $1.5 million, the CMP limit is lowered to $25,000 when the affected party had "no knowledge" in a violation under the changes. 

The change enforces different CMP limits across the four penalty tiers outlined in the Health Information Technology for Economic and Clinical Health (HITECH) Act. Current regulations maintain the same CMP limit for all penalties. 

The $1.5 million cap remains in place for HIPAA violations with "will neglect–not corrected," while the cap for parties with violations of "reasonable cause" is lowered to $100,000 annually and the "will neglect–corrected" cap is lowered to $250,000.

HHS plans to use the new penalty tier structure going forward, with adjustments for inflation, according to the agency.

HIPAA violations that expose patient data can be costly incidences for healthcare providers for a variety of reasons. Last year, three hospitals in Boston paid nearly $1 million to settle HIPAA violation accusations over the filming of a television documentary series without receiving patient authorization.