On April 30, 2019 The Department of Health and Human Services (HHS) announced that “HHS will apply a different cumulative annual CMP limit for each of the four penalties tiers in the HITECH Act.” Unlike other notices which require a proposed rule with a comment period, this notice will take effect immediately because the law allows HHS to revise penalty amounts as they see fit.

To give the context to these changes, in 2013, there was a ruling which imposed a maximum annual Civil Monetary Penalty (CMP) or $1.5 million for each ‘tier’ of culpability. The following table outlines the previous and new penalties:

Type of Violation	Fine per Violation	Old Annual Limit per Violation	New Annual Limit per Violation
No Knowledge	$100 - $50,000	$1.5 Million	$25,000
Reasonable Cause	$1,000 - $50,000	$1.5 Million	$100,000
Willful Neglect - Corrected	$10,000 - $50,000	$1.5 Million	$250,000
Willful Neglect - Not Corrected	At Least $50,000	$1.5 Million	$1.5 Million

Keep in mind that this is a new annual limit. So if an investigation finds that this violation occurred over the course of two years, your maximum penalty could be as much as $3 million. The good news is that, if your organization did not know (and even with reasonable diligence would not have known) of the violation, your maximum penalty drops significantly.

Interestingly, HHS also stated that “HHS expects to engage in future rulemaking to revise the penalty tiers in the current regulation to better reflect the text of the HITECH Act.” There is no timeline of when to expect these proposed changes.

For those with a copy of the HIPAA Compliance 4th Edition, please update the penalty tables on pages 13 and 76 to reflect these changes.