2024 Penalties for HIPAA Violations

2024 Penalties for HIPAA Violations

The Department of Health and Human Services has increased its civil monetary penalty amounts across all of its agencies to ensure that the penalties continue to serve as an effective deterrent against non-compliance. Civil monetary penalty amounts are adjusted annually to account for inflation increases, with the amount of the increase determined by the Office of Budget and Management (OBM). OBM calculates an annual inflation multiplier based on the Consumer Price Index for all Urban Consumers (CPI-U) for October, publishes that multiplier in the Federal Register in December, and all government departments are required to update their civil monetary penalty amounts using that multiplier by January 15. The HHS rarely meets that deadline.

The HHS applied the inflation update for 2023 on October 6, 2023, and the inflation update for 2024 was applied on August 8, 2024. The Administrative Procedure Act (APA) generally requires notice and comment periods of at least 30 days from publication in the Federal Register; however, the inflation adjustments are exempt and take effect immediately. That means that any penalties that are assessed on or after November 2, 2015, the date of enactment of the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, will use the new rates, which have increased from 2023 by 1.03241.

That means that the civil monetary penalties for HIPAA violations have increased. When the HITECH Act took effect, one of the requirements was for the HHS to increase the penalties for HIPAA violations, which were set based on the table below.

Penalties for HIPAA Violations (2009)

Per the requirements of the HITECH Act, the HHS set the penalties for HIPAA violations as follows:

Culpability Level Minimum Penalty for a Violation Maximum Penalty for a Violation Annual Penalty Cap
No Knowledge $100 $50,000 $1,500,000
Reasonable Cause $1,000 $50,000 $1,500,000
Willful Neglect (Corrected) $10,000 $50,000 $1,500,000
Willful Neglect (Not Corrected) $50,000 $1,500,000 $1,500,000

These figures are adjusted annually for inflation.

Penalties for HIPAA Violations (From August 8, 2024)

Now that the inflation adjustments have been published in the Federal Register, the new penalty amounts will be applied for HIPAA violations assessed on or after August 8, 2024; however, the penalties detailed in the Federal Register are not actually being applied by the HHS’ Office for Civil Rights due to a 2019 Notice of Enforcement Discretion that is still in effect.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

OCR reviewed the language of the HITECH Act in 2019 and determined that there had been a misinterpretation of what Congress required. In 2009, the annual penalty cap was applied across all four of the penalty tiers. It makes perfect sense – although not to the HHS in 2009 – that the maximum penalty for a HIPAA violation due to a lack of knowledge should not be the same as the maximum penalty for a HIPAA violation due to willful neglect that has not been corrected. OCR concluded that the annual penalty caps for three of the four penalty tiers – No knowledge, reasonable cause, and willful neglect – had been applied incorrectly and adjusted them accordingly.

These new annual penalty caps are what OCR is working with, but they have not been made official. Until OCR publishes a new Notice of Enforcement Discretion in the Federal Register to rescind the previous one, OCR will continue to use the effective penalties as detailed in the table below.

Culpability Level Minimum Penalty for a HIPAA Violation (Federal Register) Maximum Penalty for a HIPAA Violation (Federal Register) Annual Penalty Cap for HIPAA Violations of the Same Provision

(Federal Register)

Minimum Penalty for a HIPAA Violation

(2019 Notice of Enforcement Discretion)

Maximum Penalty for a HIPAA Violation

(2019 Notice of Enforcement Discretion)

Annual Penalty Cap for Violations of the Same Provision

(2019 Notice of Enforcement Discretion)

No Knowledge $141 $71,162 $2,134,831 $141 $35,581 $35,581
Reasonable Cause $1,424 $71,162 $2,134,831 $1,424 $71,162 $142,355
Willful Neglect (Corrected) $14,232 $71,162 $2,134,831 $14,232 $71,162 $355,808
Willful Neglect (Not Corrected) $71,162 $2,134,831 $2,134,831 $71,162 $2,134,831 $2,134,831

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/