HIPAA Violation Civil Penalties Increased

1 minute read

The U.S. Department of Health and Human Services (HHS) published a final rule regarding penalties for HIPAA Privacy and Security Rules. It will apply to penalties assessed on or after October 6, 2023. All civil penalty amounts have increased.

Penalties

The penalties are arranged into four tiers and depending upon violation type. Penalty amounts range from $137-$68,928. The annual penalty cap is $2,067,813.

The most frequently reported HIPAA compliance problems, resulting in penalties, include:

• Lack of safeguards on personal health information (PHI)
• Impermissible uses or disclosures of PHI
• Lack of patient access to PHI
• Lack of administrative safeguards for electronic PHI
• Use or disclosure of more than the minimum necessary PHI

HIPAA Enforcement

If a HIPAA violation has occurred, the HHS’ Office for Civil Rights (OCR) may issue a resolution agreement instead of a penalty. A resolution agreement requires the employer to take corrective action and pay a settlement amount which is much lower than a penalty amount. If no action is taken, then the OCR may decide to impose civil penalties.

To ensure compliance, employers with group health plans should periodically review their Privacy and Security Rules. Download the bulletin for more details.