By: HUB’s EB Compliance Team
The U.S. Department of Health and Human Services (“HHS”) recently released updated penalty amounts for violations of the Health Insurance Portability and Accountability Act, or HIPAA, among other laws. HIPAA requires health plans, health insurers, and their business associates (among others) to implement safeguards to protect the privacy of individuals’ health information.
The penalty amounts are adjusted annually for changes in the cost of living. These updated amounts for 2021 apply for penalties assessed on or after November 15, 2021 for violations that occurred on or after November 2, 2015. As you can see from the chart below, the penalty amounts vary based on the penalized entity’s level of care.
| Violation | 2021 (New) | 2020 |
| A violation the entity did not know about and would not have known about using reasonable diligence. Minimum per violation Maximum per violation Calendar Year Cap |
$120 $60,226 $1,806,757 |
$119 $59,522 $1,785,651 |
| The violation was due to reasonable cause and not willful neglect. Minimum per violation Maximum per violation Calendar Year Cap |
$1,205 $60,226 $1,806,757 |
$1,191 $59,522 $1,785,651 |
| The violation was due willful neglect and was corrected within 30 days after the entity knew of the violation (or would have known, using reasonable diligence). Minimum per violation Maximum per violation Calendar Year Cap |
$12,045 $60,226 $1,806,757 |
$11,904 $59,522 $1,785,651 |
| The violation was due willful neglect and was not corrected within 30 days after the entity knew of the violation (or would have known, using reasonable diligence). Minimum per violation Maximum per violation Calendar Year Cap |
$60,226 $1,806,757 $1,806,757 |
$59,522 $1,785,651 $1,785,651 |
As we have noted previously, these new figures do not reflect HHS’s decision to apply lower penalty caps that was announced in 2019. Specifically, HHS said it would apply reduced calendar year caps for the first three tiers of violations. This meant that lower level penalties had lower potential caps. However, because that announcement was merely a statement of what HHS planned to do from an enforcement perspective, this rulemaking may mean that HHS could still, in some cases, choose to apply the full caps. Given the change in administrations, it is unclear whether that statement still applies.
Regardless, a robust HIPAA compliance program can help avoid penalties like these. If you have any questions, please contact your HUB Advisor. View more compliance articles in our Compliance Directory.
NOTICE OF DISCLAIMER
Neither Hub International Limited nor any of its affiliated companies is a law or accounting firm, and therefore they cannot provide legal or tax advice. The information herein is provided for general information only, and is not intended to constitute legal or tax advice as to an organization’s or individual's specific circumstances. It is based on Hub International's understanding of the law as it exists on the date of this publication. Subsequent developments may result in this information becoming outdated or incorrect and Hub International does not have an obligation to update this information. You should consult an attorney, accountant, or other legal or tax professional regarding the application of the general information provided here to your organization’s specific situation in light of your or your organization’s particular needs.