Department of Health and Human Services: HIPAA Violation Maximum Penalties Update

Date: 05 / 02 / 19

Publication: M&S Industry Alert

On Friday, April 26, the Department of Health and Human Services (HHS) issued a notice regarding maximum penalties for HIPAA violations. HHS has now stated that it is exercising its discretion in how it applies the assessment of Civil Money Penalties under HIPAA. Specifically, HHS is changing the maximum annual limits for violations of an identical privacy or security requirement. Under the Enforcement Rule adopted by HHS pursuant to the HITECH Act in 2013, the maximum annual penalty per violation was $1.5M regardless of culpability. HHS has now indicated that a “better reading” of the HITECH Act is to apply new maximum penalties tied to culpability, as shown in the table below.


*Annual cap applies for violations of an identical privacy or security requirement.

HHS also indicated that it expects to engage in further rulemaking to revise the penalty tiers in the current regulations based on this reading of the statute.

This alert was written by Lisa Keenan and Robert Wells, lawyers in the Health Care practice group at Miles & Stockbridge.

Any opinions expressed and any legal positions asserted in the article are those of the author(s) and do not necessarily reflect the opinions or positions of Miles & Stockbridge P.C. or its other lawyers. This article is for general information purposes and is not intended to be and should not be taken as legal advice on any particular matter. It is not intended to and does not create any attorney-client relationship. Because legal advice must vary with individual circumstances, do not act or refrain from acting on the basis of this article without consulting professional legal counsel. If you would like additional information on the subject matter of this article, please feel free to contact any of the lawyers listed above. If you communicate with us, whether through email or other means, your communication does not establish an attorney-client relationship with either Miles & Stockbridge P.C. or any of the firm's lawyers. At Miles & Stockbridge P.C., an attorney-client relationship can be formed only by personal contact with an individual lawyer, not by email, and requires our agreement to act as your legal counsel together with your execution of a written engagement agreement with Miles & Stockbridge P.C.