What Are the 4 Tiers of Civil Monetary Penalties?
The increased civil monetary penalties apply to penalties assessed by HHS on or after November 15, 2021, for those violations that occurred on or after November 2, 2015.
Penalty amounts for violation of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule, fall into one of four tiers:
- Tier 1 is for the least serious infractions. Tier 1 penalties are issued for when a HIPAA violation occurred because a covered entity or business associate had a lack of knowledge of the rule that it violated. To qualify as a Tier 1 penalty, the violation must also be one that could not have been avoided, had an organization taken a reasonable amount of care to comply with HIPAA.
- Tier 2 violations are those violations committed by a covered entity or business associate that they should have been aware of. To qualify as a Tier 2 violation, the violation must also have been one that could have been avoided even with a reasonable amount of care.
- Tier 3 violations are more serious than Tier 1 or Tier 2 violations. Tier 3 violations are those that occurred as a result of willful neglect of the HIPAA rules. The HIPAA regulations define “willful neglect” as conscious, intentional failure or reckless indifference to the obligation to comply” with the HIPAA rules. Tier 3 violations are those that have been corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred. Tier 3 violations are violations that have been “fixed.”
- Tier 4 violations are those involving a willful neglect of the HIPAA rules. OCR imposes Tier 4 penalties when the covered entity or business associate has made no attempt to remedy the violation.