Last month, the U.S. Department of Health and Human Services said it would no longer apply the same maximum fines to all HIPAA violations regardless of fault or blameworthiness.
Before, the agency used the same maximum annual penalty, $1.5 million, for all violations regardless of whether or not you knew you violated HIPAA; whether or not you fixed it afterward; or whether or not you were even negligent.
Now, if you didn’t know and couldn’t have known that you messed up, the maximum for that violation is $25,000; if you were negligent, it’s $100,000; if you were more than negligent but timely fixed it, $250,000; and if you were more than negligent and didn’t fix it then the maximum is still $1,500,000.
The new limits have limits themselves. They will adjust for inflation, for example. They only apply annually so they can add up over multiple years. And they come purely as an exercise of the agency’s discretion, so they may disappear tomorrow.
But still, they draw the law closer to good sense and reason, and that’s always a good thing.