On April 26, 2019, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights announced reductions in available penalties for three out of four tiers of privacy and security violations set forth in the HITECH Act, based on the severity of the violation. Previously, all four tiers of violation were subject to a maximum annual civil monetary penalty of $1.5 million. The revised regime provides for maximum civil penalties of $25,000 for the lowest tier of violation (i.e., unknowing violations), $100,000 for the second tier of violation (i.e., violations where the company had a reasonable cause for the violation occurring) and $250,000 for the third tier of violation (i.e., where the company is willfully neglectful but corrects the violation within 30 days). The maximum penalty for violations resulting from uncorrected willful neglect will remain $1.5 million. The revised penalty tier was published in a Federal Register Notice, which explained HHS’s determination that a better reading of the HITECH Act is to apply annual penalty limits according to severity of the violation. The new penalty rates are effective immediately.