Those who want to see HHS/OCR come down like a ton of bricks on more entities and impose heavier civil monetary penalties for HIPAA breaches will likely not be happy to learn that HHS has decided to reduce the maximum civil penalties it will impose for the four tiers of violations of HIPAA.
Under the system until now, penalties have been capped this way:
Table 1: Penalty tiers under the Enforcement Rule
| Culpability | Minimum Penalty/Violation | Maximum Penalty/Violation | Annual Limit |
| No Knowledge | $100 | $50,000 | $1,500,000 |
| Reasonable Cause | $1,000 | $50,000 | $1,500,000 |
| Willful Neglect – Corrected | $10,000 | $50,000 | $1,500,000 |
| Willful Neglect – Not Corrected | $50,000 | $50,000 | $1,500,000 |
Under the revised system, the penalties are capped as shown in Table 2, below:
Table 2: Penalty Tiers under Notification of Enforcement Discretion
| Culpability | Minimum Penalty/Violation | Maximum Penalty/Violation | Annual Limit |
| No Knowledge | $100 | $50,000 | $25,000 |
| Reasonable Cause | $1,000 | $50,000 | $1oo,000 |
| Willful Neglect – Corrected | $10,000 | $50,000 | $250,000 |
| Willful Neglect – Not Corrected | $50,000 | $50,000 | $1,500,000 |
HHS’s notification, which will be published in the Federal Register on April 30, explains their reasoning and justification for exercising their discretion in this way. I’ve reproduced the notification, below.
2019-08530