The U.S. Department of Health and Human Services (“HHS”) recently issued an interim final rule (the “HHS Rule”), which sets out inflation adjustments to the civil monetary penalty (“CMP”) amounts that HHS is authorized to assess or enforce, including for violations of the HIPAA privacy and security rules. The HHS Rule was issued for compliance with the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, which was enacted on November 2, 2015 (the “2015 Act”). The 2015 Act requires federal agencies to (i) adjust the level of CMP amounts with an initial “catch up” adjustment and (ii) make subsequent annual adjustments for inflation. The HIPAA CMP amounts had not been adjusted since 2009. Under the HHS Rule, HIPAA CMP amounts are increased by 10.2% for violations of the HIPAA privacy or security rules by a covered entity or a business associate, as follows:
Please click here to view the table.
The increased CMP amounts are applicable to HIPAA violations occurring after November 2, 2015, for which CMPs are assessed after August 1, 2016.
The HHS Rule is available here.