Reshaping of civil money penalties penalties for HIPAA violations




On April 30, 2019, the Department of Health and Human Services (HHS) announced that it would be using its discretion in how it applies HHS regulations concerning the assessment of Civil Money Penalties (CMPs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as such provision was amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

HHS will apply a different cumulative annual CMP limit for each of the four penalties tiers in the HITECH Act.

Each category depends on the type of violation and each CMP limit is based on the level of culpability: (1) the person did not know (and, by exercising reasonable diligence, would not have known) that she violated the provision; (2) the violation was due to reasonable cause, and not willful neglect; (3) the violation was due to willful neglect that is timely corrected; and (4) the violation was due to willful neglect that is not timely corrected.

The chart below illustrates the new maximum penalties that all HHS HIPAA enforcement actions will use. In parenthesis the limits as enforced at the time of the last change in 2013.


Culpability Minimum penalty/violation Maximum penalty/violation Annual limit
No Knowledge $100 $50,000 $25,000

($1,500,000 in 2013)

Reasonable Cause 1,000 50,000 100,000

(1,500,000 in 2013)

Willful Neglect—Corrected 10,000 50,000 250,000

(1,500,000 in 2013)

Willful Neglect—Not Corrected 50,000 50,000 1,500,000

(same as in 2013)


HHS announcement can be found at…


More on HIPAA is available at…