What is the Maximum Penalty for Violating HIPAA?
The maximum penalty for violating HIPAA is currently $68,928 (December 2023) for a violation that is attributable to willful neglect and, despite being alerted to the violation by HHS’ Office for Civil Rights, is not corrected within 30 days. However, this figure represents the maximum penalty per violation, and Covered Entities and Business Associates found guilty of multiple violations can expect to pay up to $2,067,813 per violation “type” per year.
When Congress passed HIPAA in 1996, it set the maximum penalty for violating HIPAA at $100 per violation with an annual cap of $25,000. These limits were applied when the Department of Health & Human Services (HHS) published the Enforcement Rule in 2006 and they stayed in force until the publication of the Final Omnibus Rule in 2013.
Among other changes to HIPAA, the Final Omnibus Rule introduced amendments to the Enforcement Rule attributable to passage of the HITECH Act in 2009. The HITECH Act mandated a four tier penalty structure for HIPAA violations and new minimum and maximum penalties for violating HIPAA. The four tiers were based on the level of culpability associated with the violation:
Tier 1 – Lack of Knowledge: The person did not know (and, by exercising reasonable diligence, would not have known) that the event was a violation of HIPAA.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Tier 2 – Lack of Oversight: The violation was due to reasonable cause and not willful neglect to comply with the HIPAA regulations.
Tier 3 – Willful Neglect: The violation was due to the willful neglect of the Covered Entity or Business Associate but corrected within 30 days of discovery.
Tier 4 – Willful Neglect, Not Corrected: The violation was due to the willful neglect of the Covered Entity or Business Associate but not corrected within 30 days of discovery.
The Penalties for Violating HIPAA Change after Review
Originally, due to “inconsistent language” of the HITECH Act, HHS interpreted the new Enforcement Rule penalty structure as follows:
Level of Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit |
Lack of Knowledge | $100 | $50,000 | $1,500,000 |
Lack of Oversight | $1,000 | $50,000 | $1,500,000 |
Willful Neglect | $10,000 | $50,000 | $1,500,000 |
Willful Neglect not Corrected within 30 days | $50,000 | $50,000 | $1,500,000 |
However, following a review of the penalty tiers by HHS´ Office of General Counsel, the annual caps were amended in 2019 to align with those mandated by HITECH.
Level of Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit |
Reasonable Efforts | $100 | $50,000 | $25,000 |
Reasonable Cause | $1,000 | $50,000 | $100,000 |
Willful Neglect – Corrected | $10,000 | $50,000 | $250,000 |
Willful Neglect – Not Corrected within 30 days | $50,000 | $50,000 | $1,500,000 |
This resulted in the annual limit for a Tier 1 violation being less than the maximum penalty for violating HIPAA in Tier 1 – a situation that has continued as the penalties for violating HIPAA have been adjusted to account for inflation. Additionally, the maximum penalty for violating HIPAA in Tier 4 has also been increased. The current (December 2023) penalties for violating HIPAA are:
Level of Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit |
Lack of Knowledge | $137 | $34,464 | $34,464 |
Lack of Oversight | $1,379 | $68,928 | $137,886 |
Willful Neglect | $13,785 | $68.928 | $344,638 |
Willful Neglect not Corrected within 30 days | $68,928 | $68,928 | $2,067,813 |
The Maximum Penalty for Violating HIPAA is per Violation Type
It is important for Covered Entities and Business Associates to be aware that the maximum penalty for violating HIPAA is per violation type. This mean that (for example), if a Covered Entity fails to conduct a risk assessment, fails to implement measures to prevent a foreseeable breach, and fails to notify patients when a breach occurs, the Covered Entity could be issued the maximum penalty for violating HIPAA three times over. This demonstrations the need for a comprehensive HIPAA compliance program.
It is also important to be aware that State Attorneys General have the authority to impose civil money penalties on Covered Entities and Business Associates found to have violated HIPPA. Consequently, what a Covered Entity or Business Associate pays in penalties to HHS´ Office for Civil Rights may be substantially increased – as Anthem Inc. found out following a breach of 78.8 million records in 2015.
In addition to reaching a $16 million settlement with HHS´ Office for Civil Rights, Anthem Inc. was also fined $48.2 million by State Attorneys General in two separate cases. Additionally, a class action was brought against Anthem Inc. by individuals whose data was breached – resulting in a further $115 million settlement. Consequently, if found guilty of a HIPAA violation, the maximum penalty for violating HIPAA could be much more then the figures published annually in the Federal Register.