Civil Monetary Penalties

Under federal government logic, when the cost of living goes up, the amounts of monetary penalties for violations of certain federal laws must go up too. So, in November of 2021, the Department of Health and Human Services announced that it was raising the civil monetary penalties for each of the four tiers of HIPAA violations. The new dollar values are discussed below.

What Are the 4 Tiers of Civil Monetary Penalties?

The increased civil monetary penalties apply to penalties assessed by HHS on or after November 15, 2021, for those violations that occurred on or after November 2, 2015. 

Penalty amounts for violation of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule, fall into one of four tiers:

  • Tier 1 is for the least serious infractions. Tier 1 penalties are issued for when a HIPAA violation occurred because a covered entity or business associate had a lack of knowledge of the rule that it violated. To qualify as a Tier 1 penalty, the violation must also be one that could not have been avoided, had an organization taken a reasonable amount of care to comply with HIPAA.
  • Tier 2 violations are those violations committed by a covered entity or business associate that they should have been aware of. To qualify as a Tier 2 violation, the violation must also have been one that could have been avoided even with a reasonable amount of care.
  • Tier 3 violations are more serious than Tier 1 or Tier 2 violations. Tier 3 violations are those that occurred as a result of willful neglect of the HIPAA rules. The HIPAA regulations define “willful neglect” as conscious, intentional failure or reckless indifference to the obligation to comply” with the HIPAA rules. Tier 3 violations are those that have been corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred. Tier 3 violations are violations that have been “fixed.”
  • Tier 4 violations are those involving a willful neglect of the HIPAA rules. OCR imposes Tier 4 penalties when the covered entity or business associate has made no attempt to remedy the violation.

Let’s Simplify Compliance

Avoid HHS fines by becoming HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance

What’s the Damage?

Each tier has a minimum and maximum penalty amount. Each tier also has a calendar-year cap. The adjusted civil monetary penalties for each tier are as follows:

  • Tier 1: The civil monetary penalties for Tier 1 range from the minimum amount of $120 (up from $119 in 2020) to the maximum amount of $60,226 (up from 2020’s $59,522 figure). The maximum annual penalty (that is, the penalty for multiple violations of an identical provision in a given calendar year) is now $1,806,757, having gone up from 2020’s $1,885,651 figure. 
  • Tier 2: The civil monetary penalties for Tier 2 range from the minimum amount of $1,205 up from $1,191 in 2020) to the maximum amount of $60,226 (up from $59,522). The calendar year cap is the same as for Tier 1 violations: $1,806,757 (increased from $1,785,651).
  • Tier 3: The Tier 3 minimum penalty is $12,045 (up from $11,904) and the maximum penalty is the same as that for Tier 2: $60,226 (up from $59,522). The calendar-year cap is the same as the calendar-year cap for Tiers 1 and 2: $1,806,757 (up from $1,785,651).
  • Tier 4: The Tier 4 minimum penalty is $60,226 (up from $59,222). The Tier 4 minimum penalty is the same amount as the Tier 3 maximum. Both the Tier 4 maximum penalty and the Tier 4 calendar year cap are $1,806,757 (up from $1,785,651). 

Will HHS Actually Fine Companies $1,806,757 for Tier 1 to 3