Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Articles
    4. OCR revises HIPAA annual penalty limits to address culpability

      Articles

    Article

    OCR revises HIPAA annual penalty limits to address culpability

    May 23, 2019

    LinkedInX (Twitter)EmailCopy URL

    By Jéna Grady

    OCR published the Notification to alert the public that OCR is exercising its discretion in assessing Civil Money Penalties under HIPAA as amended by the HITECH Act.

    In April 2019, the Department of Health and Human Services Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties (the Notification). OCR published the Notification to alert the public that OCR is exercising its discretion in assessing Civil Money Penalties under HIPAA as amended by the HITECH Act.  

    In February 2009, the HITECH Act established four categories for HIPAA violations with increasing penalty tiers based on the level of culpability. It also amended HIPAA by eliminating the prohibition on the penalties for a covered entity if it did not know and with reasonable diligence would not have known of a HIPAA violation. The four categories for HIPAA violations became the following:

    • No Knowledge: The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision
    • Reasonable Cause: The violation was due to reasonable cause, and not willful neglect
    • Willful Neglect—Corrected: The violation was due to willful neglect that is timely corrected
    • Willful Neglect—Not Corrected: The violation was due to willful neglect that is not timely corrected

    While the HITECH Act applied four different annual penalty limits (ranging from $25,000 to $1,500,000) based on the level of culpability, in the Interim Final Rule to implement the enhanced penalty provisions of the HITECH Act, OCR applied the highest annual cap of $1.5 million to all violations regardless of the level of culpability (see first table below). OCR provided that applying the highest annual limit for all levels of culpability was “the most logical reading” of the HITECH Act since this was “consistent with Congress’ intent to strengthen enforcement.”

    Culpability

    Minimum Penalty/Violation

    Maximum Penalty/Violation

    Annual Limit

    No Knowledge

    $100

    $50,000

    $1,500,000

    Reasonable Cause

    $1,000

    $50,000

    $1,500,000

    Willful Neglect—Corrected

    $10,000

    $50,000

    $1,500,000

    Willful Neglect—Not Corrected

    $50,000

    $50,000

    $1,500,000

     

    However, the Notification provides that upon further review OCR has concluded that a “better reading of the HITECH Act” is to apply annual limits based on the level of culpability (see second table below).

    Culpability

    Minimum Penalty/Violation

    Maximum Penalty/Violation

    Annual Limit

    No Knowledge

    $100

    $50,000

    $25,000

    Reasonable Cause

    $1,000

    $50,000

    $100,000

    Willful Neglect—Corrected

    $10,000

    $50,000

    $250,000

    Willful Neglect—Not Corrected

    $50,000

    $50,000

    $1,500,000

    OCR will use the above penalty tier structure, as adjusted for inflation, until further notice and plans to have future rulemaking to modify the penalty tiers in the current regulation “to better reflect the text of the HITECH Act.”

    Given the significant decrease of the annual limits for all but one category for HIPAA violations, covered entities and business associates may welcome OCR’s revised reading of the HITECH Act. This change in the annual limits may be especially welcomed since OCR under the previous penalty tiers collected $28.7 million from settlements and cases in 2018 (see February 27, 2019 NP Privacy Partner Blog Post).

    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved