Civil Monetary Penalties

Under federal government logic, when the cost of living goes up, the amounts of monetary penalties for violations of certain federal laws must go up too. So, in November of 2021, the Department of Health and Human Services announced that it was raising the civil monetary penalties for each of the four tiers of HIPAA violations. The new dollar values are discussed below.

What Are the 4 Tiers of Civil Monetary Penalties?

The increased civil monetary penalties apply to penalties assessed by HHS on or after November 15, 2021, for those violations that occurred on or after November 2, 2015. 

Penalty amounts for violation of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule, fall into one of four tiers:

  • Tier 1 is for the least serious infractions. Tier 1 penalties are issued for when a HIPAA violation occurred because a covered entity or business associate had a lack of knowledge of the rule that it violated. To qualify as a Tier 1 penalty, the violation must also be one that could not have been avoided, had an organization taken a reasonable amount of care to comply with HIPAA.
  • Tier 2 violations are those violations committed by a covered entity or business associate that they should have been aware of. To qualify as a Tier 2 violation, the violation must also have been one that could have been avoided even with a reasonable amount of care.
  • Tier 3 violations are more serious than Tier 1 or Tier 2 violations. Tier 3 violations are those that occurred as a result of willful neglect of the HIPAA rules. The HIPAA regulations define “willful neglect” as conscious, intentional failure or reckless indifference to the obligation to comply” with the HIPAA rules. Tier 3 violations are those that have been corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred. Tier 3 violations are violations that have been “fixed.”
  • Tier 4 violations are those involving a willful neglect of the HIPAA rules. OCR imposes Tier 4 penalties when the covered entity or business associate has made no attempt to remedy the violation.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Leader Fall 2024

What’s the Damage?

Each tier has a minimum and maximum penalty amount. Each tier also has a calendar-year cap. The adjusted civil monetary penalties for each tier are as follows:

  • Tier 1: The civil monetary penalties for Tier 1 range from the minimum amount of $120 (up from $119 in 2020) to the maximum amount of $60,226 (up from 2020’s $59,522 figure). The maximum annual penalty (that is, the penalty for multiple violations of an identical provision in a given calendar year) is now $1,806,757, having gone up from 2020’s $1,885,651 figure. 
  • Tier 2: The civil monetary penalties for Tier 2 range from the minimum amount of $1,205 up from $1,191 in 2020) to the maximum amount of $60,226 (up from $59,522). The calendar year cap is the same as for Tier 1 violations: $1,806,757 (increased from $1,785,651).
  • Tier 3: The Tier 3 minimum penalty is $12,045 (up from $11,904) and the maximum penalty is the same as that for Tier 2: $60,226 (up from $59,522). The calendar-year cap is the same as the calendar-year cap for Tiers 1 and 2: $1,806,757 (up from $1,785,651).
  • Tier 4: The Tier 4 minimum penalty is $60,226 (up from $59,222). The Tier 4 minimum penalty is the same amount as the Tier 3 maximum. Both the Tier 4 maximum penalty and the Tier 4 calendar year cap are $1,806,757 (up from $1,785,651). 

Will HHS Actually Fine Companies $1,806,757 for Tier 1 to 3 Calendar Year Violations?

In 2019, HHS announced that it would use its enforcement discretion to lower the maximum annual caps for Tiers 1, 2, and 3, to $25,000, $100,000, and $250,000 (not adjusted for inflation), respectively, all lowered from $1,500,000. Using this enforcement discretion, HHS has applied these caps in situations where a covered entity or business associate has committed multiple violations of an identical provision in a calendar year. 

HHS continues to publish the higher numbers (the $1,806,757 calendar-year cap figure for all four tiers), as the amounts that would be issued if it ceased to use its enforcement discretion. HHS is required by law to provide notification of withdrawal of enforcement discretion. Since this has not yet happened, providers and business associates can expect that the calendar year caps will continue to be $25,000, $100,000, $250,000, and $1,500,000, for Tiers 1, 2, 3, and 4, respectively. 

HIPAA Trust Badge

Protect Against HIPAA Fines

Compliant organizations don’t get fined. Become compliant today!