On Friday April 26, 2019 the Department of Health and Human Services issued a notice of HIPAA enforcement discretion. This is not an amendment to HIPAA, but merely a new interpretation of the existing fine structure in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was amended in 2009.
HHS has determined that annual fine limits are better represented in the new table below, including $25,000 for no knowledge, $100,000 for reasonable cause, $250,000 for corrected willful neglect, and $1,500,000 for uncorrected willful neglect. HIPAA enforcement actions will now be governed by the following penalty tiers:
| Culpability | Minimum penalty/violation | Maximum penalty/violation | Annual limit |
|---|---|---|---|
| No Knowledge | $100 | $50,000 | $25,000 |
| Reasonable Cause | 1,000 | 50,000 | 100,000 |
| Willful Neglect—Corrected | 10,000 | 50,000 | 250,000 |
| Willful Neglect—Not Corrected | 50,000 | 50,000 | 1,500,000 |
HHS expects to engage in future rulemaking to revise the penalty tiers in alignment with the above, which they feel will better reflect the text of the HITECH Act.