The Department of Health and Human Services (HHS) published a final rule increasing the civil monetary penalties for violations of laws enforced by HHS, including the Health Insurance Portability and Accountability Act’s (HIPAA) privacy and security rules.
Each year, HHS is required to adjust these penalties for inflation to improve effectiveness and maintain their deterrent effect. The new penalty amounts are effective for penalties assessed on or after January 17, 2020.
2020 HIPAA Civil Penalties
HHS may assess civil penalties when it discovers a HIPAA violation. The penalty amounts will depend on facts involved. For example:
- If the covered entity does not know about the violation and exercises reasonable diligence, the penalty amount would be between $119 and $59,522 for each violation.
- If the violation is due to reasonable cause, the penalty amount would be between $1,191 and $59,522 for each violation.
- If there are corrected violations caused by willful neglect, the penalty amount would be between $11,904 and $59,522 for each violation.
- If violations are caused by willful neglect that are not corrected, the penalty amount would be $59,522 per violation with an annual cap of $1,785,651 for all violations of an identical requirement.
Common HIPAA Violations
- Impermissible uses or disclosures of protected health information (PHI)
- Lack of safeguards on PHI
- Lack of patient access to their PHI
- Lack of administrative safeguards for electronic PHI
- Use or disclosure of more than the minimum necessary PHI
The HHS will often pursue a resolution agreement that requires the covered entity to take corrective action and pay a settlement amount, which is usually less than the applicable penalty amount. If an agreement cannot be reached, HHS may pursue civil penalties.
To avoid civil penalty, employers with group health plans should review their compliance with HIPAA’s rules on a consistent basis.
For more information, click here.
Questions? Contact Creative Benefits at 866-306-0200 or email@example.com.