Every year, HIPAA ‘Civil Monetary Penalties’ (aka fines) increase according to inflation. While the original fines ranged from $100 to $1MM depending on the culpability of the regulated entity, those values have been adjusted annually to account for inflation and keep the fines relevant. The updated fines are published to 45 CFR, Part 102.3, Table 1 (see here for eCFR).

How do HIPAA fines work?

Once OCR has determined that a regulated entity has violated HIPAA and that they intend to levy a fine, they determine the regulated entities culpability in the violation. There are four culpability tiers and an annual cap for identical violations.

Tier 1 — The lowest culpability tier. These are violations where “the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such a provision.”

Tier 2 — The next higher culpability tier. These are violations where “the violation was due to reasonable cause and not to willful neglect.”

Tier 3 — The second highest culpability tier, reserved for violations where “the violation was due to willful neglect and was corrected during the 30-day period beginning on the first date the covered entity or business associate knew, or, by exercising reasonable diligence, would have known that the violation occurred.”

Tier 4 — The highest culpability tier, where “the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the covered entity or business associate knew, or, by exercising reasonable diligence, would have known that the violation occurred.”

Fee Caps: There is a cap, per calendar year, for identical violations of the HIPAA regulations. Some people mistakenly believe that this is a cap on total fines per year, and that’s not correct. The regulation specifies that the cap is for identical violations.

For example, if you’re fined for Right-of-Access at Tier 4 ($50,000 minimum, per violation, before inflation adjustment), and there are five patients involved, that would be a fine of $250,000. If 1,000 patients were involved, the fine would be limited to the annual cap for that particular regulation. If you also violated another provision of HIPAA, that would be added and subject to it’s own annual cap.

Current Penalty Amounts:

Penalties other than fines:

These are just the civil financial penalties that the law allows for under HIPAA. However, the HIPAA law also has provisions for criminal penalties including imprisonment from 1 to 10 years.

Certain violations of HIPAA may also be violations of Medicare/Medicaid regulations as well as the False Claims Act, and can incur civil and criminal penalties under those laws and regulations.

Both HIPAA and Medicare require regulated entities to complete a Security Risk Analysis. Medicare also requires certifying annually that the practice has done so. If the practice does not complete the SRA, but certifies that is hascompleted it, then they can face fines under HIPAA laws as well as penalties for Medicare fraud (including, but not limited to, repaying any funds received from Medicare during that period in question), and penalties under the False Claims Act (lying to the government).