Because HIPAA’s civil penalties are substantial, employers with group health plans should periodically review their compliance with HIPAA’s rules.
On Jan. 17, 2020, the Department of Health and Human Services (HHS) published a final rule increasing the civil monetary penalties for violations of laws enforced by HHS, including the HIPAA privacy and security rules. HHS is required to adjust these penalties for inflation each year to improve their effectiveness and maintain its deterrent effect. The new penalty amounts are effective for penalties assessed on or after Jan. 17, 2020.
2020 HIPAA Civil Penalties
HHS may assess civil penalties when it discovers a HIPAA violation. The penalty amount depends on the facts involved.
- For violations where the covered entity does not know about the violation (and by exercising reasonable diligence, would not have known about the violation) the penalty amount is between $119 and $59,522 for each violation.
- If the violation is due to reasonable cause, the penalty amount is between $1,191 and $59,522 for each violation.
- For corrected violations that are caused by willful neglect, the penalty amount is between $11,904 and $59,522 for each violation.
- For violations caused by willful neglect that is not corrected, the penalty amount is $59,522 per violation, with an annual cap of $1,785,651 for all violations of an identical requirement.
Resolution Agreements
Instead of imposing civil penalties for HIPAA violations, HHS will often pursue a resolution agreement that requires the covered entity to take corrective action and pay a settlement amount (which is usually much less than the applicable penalty amount). However, if an agreement cannot be reached, HHS may pursue civil penalties.