HHS Issues Annual Adjusted Civil Penalties for HIPAA Violations

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued final regulations adjusting civil penalties for annual inflation, including violations of the Health Insurance Portability and Accountability Act (HIPAA). These violations include those under HIPAA’s Privacy and Security Rules and are based on a four-tier penalty structure that increase according to level of culpability regarding the violation. These updated penalties went into effect November 5, 2019, and are listed in the table below:

Minimum Penalty/
Maximum Penalty/
Annual Limit
Tier 1
No Knowledge; no reasonable belief to know
Tier 2
Reasonable Cause
Tier 3
Willful Neglect; but timely corrected
Tier 4
Willful Neglect; not timely corrected

Please Note: In April 2019, OCR issued a Notice of Enforcement Discretion that significantly changed these HIPAA violation penalties. For example, the Annual Limit increased from $25,000 for Tier 1 to $1,500,000 for Tier 4 (check out our previous blog for a re-cap). HHS stated it would engage in further rulemaking to lower these amounts but has yet to do so. Until then, the inflation of penalties above are based on an annual increase from the 2018 penalty structure prior to the Notice.


The information and content contained in this blog post are for general informational purposes only, and does not, and is not intended to, constitute legal advice.

Leave a Reply

Your email address will not be published. Required fields are marked *

To ensure you have time for other things.

Capstone Administrators

© 2023 · The Capstone Group

© Captstone 2020 All Rights Reserved.

This is a staging environment