May 14, 2019
On April 30, 2019, HHS exercised its discretion in how it applies the regulations related to HIPAA privacy and security violations. As background, in 2009, the HITECH Act set penalty limits based on four tiers of knowledge and intention. Each tier had a maximum penalty of $1.5 million per calendar year when the violations were of an identical requirement or prohibition. The new guidance, found in the Federal Register, reduces the maximum annual penalty to the following amounts per tier:
The changes are effective immediately. HHS expects to issue revised regulations in the future.
Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties »