The Office for Civil Rights (OCR), which prosecutes health care providers, carriers and their business associates for violating HIPAA, has cut the penalties for three out of the four tiers of privacy and security violations. Previously, all four violation tiers were subject to annual maximum civil monetary penalties of $1.5M.
Now, the lowest tier, applicable when it is reasonable to conclude that the violator was not aware that its practice violated HIPAA, will have a $25,000 maximum annual penalty.
The second tier, will apply a maximum annual penalty of $100,000 for a violation with a reasonable cause, but not willful neglect.
The third tier, involving violators that were willfully negligent, but were able to correct the violation within 30 days, will face a maximum annual penalty of $250,000.
The fourth tier, applicable to a violation that is the result of willful neglect that is not corrected, will maintain the $1.5M maximum annual penalty.
It is possible that the OCR could make up for the lower maximum annual penalties by alleging more violations in each case, but the OCR’s announcement in this regard does indicate that settlements for privacy and security violations for many cases could be lower in the future compared to past settlements.
Barry F. Rosen
410-576-4224 • firstname.lastname@example.org