HIPAA Penalties Changed

The U.S. Department of Health and Human Services recently changed its application of civil money penalties under HIPAA. Under the Health Information Technology for Economic and Clinical Health Act (HITECH), there are four separate penalty tiers for electronic data violations. HHS set minimum and maximum penalty amounts for violations in each tier, with an across the board limit of $1.5 million for all four penalty tiers. The new HHS approach reduces the maximum penalty based on severity of the violations. The dollar limits for violations of identical provisions of HITECH in a calendar year will be the following dollar amounts:

• Tier 1—Person did not know and, exercising reasonable diligence, would not have known of a violation: $25,000
• Tier 2—Violation was due to reasonable cause and not willful neglect: $100,000
• Tier 3—Violation was due to willful neglect and was timely corrected: $250,000
• Tier 4—Violation was due to willful neglect and was not corrected: $1.5 million.