HIPAA: New HIPAA Penalties System Rewards Labs that Try to Comply

New HHS rules significantly increase the amount of money your lab can save by making diligent and demonstrable efforts to prevent HIPAA violations even when those efforts don’t succeed. We’re referring to the new HHS system of basing maximum HIPAA penalties on “level of culpability” set out by the agency in its April 26 Notification of Enforcement Discretion (Notice). Here’s the low down.

How HIPAA Penalties Are Determined

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) establishes a four-tier system for determining minimum and maximum civil monetary penalties (CMP) for HIPAA violations. The tiers range by severity, as illustrated by Table 1:

Table 1. The Old 4-Tier HIPAA Penalties System
Tier Description CMP Range
1 Violator didn’t know and wouldn’t have known through the exercise of reasonable diligence of HIPAA violation $100 per violation up to maximum of $25,000 per calendar year
2 Violation due to reasonable cause, not willful neglect $1,000 per violation up to maximum of $100,000 per calendar year
3 Violation due to willful neglect that’s timely corrected $10,000 per violation up to maximum of $250,000 per calendar year
4 Violation due to willful neglect that’s not timely corrected $50,000 per violation up to maximum of $1,500,000 per calendar year

When it implemented the HITECH Act back in 2013, however, HHS viewed the penalty provisions as “conflicting” and decided that the highest annual cap of $1.5 million under tier 4 should apply to every tier. Despite criticism, HHS held the line and insisted “that the penalty amounts are appropriate and reflect the most logical reading of the HITECH Act.”

The New ‘Level of Culpability’ System

It took nearly five years, but HHS has finally seen the light. In the Notice, HHS announced that it’s changed its position and will now follow the original intent of the HITECH Act by basing the potential range of penalties on the violator’s level of culpability and efforts to comply. Table 2 summarizes the new “level of culpability” system.

Table 2. The New “Level of Culpability” HIPAA Penalties System
Tier Minimum CMP per Violation Maximum CMP per Violation Maximum CMP per Calendar Year
No Knowledge $100 $50,000 $25,000
Reasonable Cause $1,000 $50,000  $100,000
Willful Neglect-Corrected $10,000 $50,000  $250,000
Willful Neglect—Not Corrected $50,000 per violation NA  $1,500,000

The penalties will be adjusted for inflation.

Takeaway: Labs best take heed of the new penalty rules, especially considering that 2018 was a record year for HIPAA enforcements, with HHS collecting an all-time high of $28.7 million in penalties from HIPAA-covered entities and their business associates. The good news is that in the future, HIPAA penalties should be much less robotic and labs will, rightly, earn consideration for the efforts they make to implement systems to ensure the privacy and security of PHI and prevent HIPAA violations.


You have 3 articles left to view this month.

Your 3 Free Articles Per Month Goes Very Quickly!
Get a 3 month Premium Membership to
one of our G2 Newsletters today!

Click on one of the Newsletters below to sign up now and get unlimited access to all articles, archives, and tools for that specific newsletter!









Try Premium Membership