OCR Makes Inflation Adjustment to HIPAA Civil Monetary Penalties

The Office of the Assistant Secretary for Financial Resources (ASFR), Department of Health and Human Services, has made its annual adjustment to the minimum and maximum civil monetary penalties, as mandated by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 (Inflation Adjustment Act).

The Final Rule’s updated penalties are effective from November 5, 2019 and apply to penalties for violations of HIPAA Administrative Simplification Rules that occurred on or after February 18, 2019.  The adjustment was calculated based on the Consumer Price Index for all Urban Consumers (CPI–U) for October 2019. For 2019, the penalties have been increased by a factor of 1.02522.

The new penalties for HIPAA violations are detailed in the table below:

Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Maximum Annual Penalty
1 No Knowledge $117 $58,490 $1,754,698
2 Reasonable Cause $1,170 $58,490 $1,754,698
3 Willful Neglect – Corrective Action Taken Within 30 Days $11,698 $58,490 $1,754,698
4 Willful Neglect – No Timely Corrective Action Taken $58,490 $1,754,698 $1,754,698

Penalties for violations that occurred before February 18, 2019 have been increased to a maximum penalty of $159 per violation, capped at $39,936 per violation, per calendar year.

It should be noted that the maximum annual financial penalties differ considerably from OCR’s April 30, 2019 notice of enforcement discretion. OCR had reassessed how the new penalties mandated by the HITECH Act had been interpreted and determined they did not reflect the intentions of Congress.

The previous interpretation had seen the maximum penalty of $1.5 million per violation category, per year applied across all penalty tiers. With the inflation increases, that makes the maximum penalty $1,754,698, regardless of the level of culpability.

In April, OCR reduced the maximum penalties in the first three penalty tiers. OCR is now using the penalty structure outlined in its notice of enforcement discretion to determine appropriate financial penalties, but the notice of enforcement discretion penalty structure has yet to be formally adopted. OCR has said this would be addressed in further rulemaking, but as of November 5, 2019 that has yet to happen.

From a legal standpoint, that means OCR could revert to the old penalty structure at any point. For the time being at least, OCR is using the penalty structure detailed in the table below.

Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Maximum Annual Penalty
1 No Knowledge $117 $58,490 $25,630.5
2 Reasonable Cause $1,170 $58,490 $102,522
3 Willful Neglect – Corrective Action Taken Within 30 Days $11,698 $58,490 $256,305
4 Willful Neglect – No Timely Corrective Action Taken $58,490 $1,754,698 $1,754,698