On October 6th, 2023, the U.S. Department of Health and Human Services (HHS), the agency that enforces the Health Insurance Portability and Accountability Act (HIPAA), published its 2023 annual inflation adjustments to the civil monetary penalties for HIPAA violations. In brief, these penalties are assessed or enforced by the HHS and are pursuant to the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 (Inflation Adjustment Act). The final rule was effective October 6th, 2023. In February 2023, the HHS’s Office for Civil Rights (OCR) announced a $1.25 million settlement in the case of a non-profit health organization’s reported HIPAA violations.
Background of the Inflation Adjustment Act
The Inflation Adjustment Act made civil money penalties (CMPs) more effective by ensuring they remain a deterrent over time. Indeed, outdated penalties lose effectiveness over time and require regular adjustments to keep pace with the cost of living. With this intention, the Inflation Adjustment Act amended the original Federal Civil Penalties Inflation Adjustment Act of 1990. Specifically, the Inflation Adjustment Act allows yearly evaluation of CMPs for violations of various employment laws, including penalties for HIPAA violations. The Inflation Adjustment Act provides a cost-of-living formula for the annual adjustments to CMPs.
Penalties for HIPAA Violations
HIPAA violations can occur due to either intentional or accidental breaches of protected health information (PHI). If an OCR investigation reveals HIPAA violations, they have the authority to impose a range of penalties on employers. Penalties for HIPAA violations can include corrective action plans to identify and correct gaps in cybersecurity, tiered civil monetary penalties based on an employer’s knowledge about a breach, and criminal penalties for grievous and intentional violations. The 2023 civil monetary penalties for HIPAA violations are as follows:
- Tier 1: Lack of Knowledge (Despite Exercising Reasonable Diligence)
- Minimum penalty per violation: $137
- Maximum penalty per violation: $68,928
- Calendar year cap: $2,067,813
- Tier 2: Reasonable Cause
- Minimum penalty per violation: $1,379
- Maximum penalty per violation: $68,928
- Calendar year cap: $2,067,813
- Tier 3: Willful neglect (corrected within 30 days)
- Minimum penalty per violation: $13,785
- Maximum penalty per violation: $68,928
- Calendar year cap: $2,067,813
- Tier 4: Willful neglect (not corrected within 30 days)
- Minimum penalty per violation: $68,928
- Maximum penalty per violation: $2,067,813
- Calendar year cap: $2,067,813
What Is the HIPAA Privacy Rule?
HIPAA is a federal law requiring national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. In turn, the HHS issued the HIPAA Privacy Rule to implement requirements under HIPAA. Standards under the HIPAA Privacy Rule address the use and disclosure of protected health information by covered entities. Additionally, it protects an individual’s rights to understand and control how covered entities use their health information. In detail, covered entities include:
- most healthcare providers,
- health plans,
- business associates, and
- healthcare clearinghouses.
These covered entities may disclose personal health information only as expressly permitted or required by the HIPAA Privacy Rule.