Direction from HHS on Penalties
New HIPAA Penalties are now available from the Department of Health and Human Services after it published a notice on April 30th. HHS is exercising its discretion in how it applies its regulations on the assessment of Civil Monetary Penalties (CMPs) under HIPAA. Currently HHS applied the same cumulative annual limit to the four categories of violations.
Pending further rule making HHS will now apply different cumulative annual CMP limits. This will be instead of the maximum $1.5 million for each level of violation. This is a reduction in the maximum limit, scaling down based on the level of culpability. Consequently HHS will use the new penalty structure until further notice. It is important to understand the new HIPAA Penalties from HHS.
The Four Categories
Based on four categories of culpability HHS has provided covered entities and business associates with a whole new structure for penalties. In mostcases the amount of penalty will be significantly less than what we have experienced in the past.
For a category of no knowledge the minimum penalty is now $100, and the annual limit will be $25,000 down from $1.5 million.
If a reasonable cause $1,000 is the minimum and $100,000 for an annual limit down from $1.5 million.
Next, willful neglect with a correction it would be $10,000 as a minimum and $250,000 for annual limit.
Finally the highest is for Willful neglect with no correction with $50,000 as a minimum with an annual limit of $1,500,000.
This new guidance changes significantly the penalty structure for HIPAA violations and must be considered and understood by covered entities and business associates who deal with protected health information.
To read this important notice on new HIPAA Penalties from HHS, visit the Federal Register using the link below.