On April 23, 2019, the U.S. Department of Health & Human Services (HHS) published a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties (CMP) outlining interim annual limits for HIPAA violations. HHS believes the revised annual limits “reflect the most logical reading of the HITECH Act.” These amounts are subject to change pending further rulemaking.

The prior annual limits on CMPs were $1.5 million for any type of violation (no knowledge, reasonable cause, willful neglect – corrected, and willful neglect – not corrected). The new annual limits will be as follows:

  1. No knowledge: $25,000;
  2. Reasonable cause: $100,000;
  3. Willful neglect – corrected: $250,000; and
  4. Willful neglect – not corrected: $1.5 million.

HHS did not modify the amounts for minimum and maximum penalty per violation. Revising the annual CMP limits appears to be a step in the right direction by giving credit to those entities that have taken steps to meet and comply with HIPAA’s requirements. How these interim annual limits will be used against providers remains to be seen.