No. Your eyes are not playing tricks on you and there is not a typo in my title. HHS just announced that it is decreasing the annual limit on HIPAA violations for three of the four tiers of violations.

In 2009, Congress greatly increased the amount of penalties that HHS could assess for HIPAA violations in the HITECH Act. HITECH established four tiers of violations with increasing penalties based on the level of culpability. Since enactment of HITECH, there has been controversy around whether the $1,500,000 cap should really be applied to all penalty levels if the penalties were supposed to be tiered based on culpability. In the final regulations implementing HITECH that were issued in 2013, HHS kept this interpretation and has been issuing penalties based on the following chart:

Culpability Minimum Penalty Per Violation Maximum Penalty Per Violation Annual Limit
No Knowledge $100 $50,000 $1,500,000
Reasonable Cause $1,000 $50,000 $1,500,000
Willful Neglect – Corrected $10,000 $50,000 $1,500,000
Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

This week HHS came out with Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties, which stated that upon further review of the statute, HHS has determined a better reading of the statute is to apply a tiered annual limit as well. Under the new HHS interpretation, the following chart illustrates the new maximum penalties that all HHS HIPAA enforcement actions will use until further notice:

Culpability Minimum Penalty Per Violation Maximum Penalty Per Violation* Annual Limit
No Knowledge $100 $50,000 $25,000
Reasonable Cause $1,000 $50,000 $100,000
Willful Neglect – Corrected $10,000 $50,000 $250,000
Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

* I don’t understand how the maximum penalty per violation can be more than the annual limit, but this chart is exactly as it appears in the HHS Notification.

While it is good news for covered entities and business associates that HHS is relaxing the annual limit for many violations, these penalties can still add up quickly. The annual limit applies to each identical violation in a year. Where a covered entity or business associate has multiple violations (which is often the case where there is a breach), HHS can issue the maximum annual limit penalty for each separate violation. Also, these penalties are being adjusted for inflation each year, so expect minor increases each year to the annual limits as well.