HIPAA violation fines

Will we see reduced HIPAA fines

Are reduced HIPAA fines on the way?

In 2019 we wrote an OCR letter that discussed the possible reduction of HIPAA fines. We were all for it - read about it here - OCR Caps HIPAA FInes.

It looks like OCR is ready to change the annual fee structure. The new caps would be as follows:

  • Tier 1 (no knowledge of violation): $100 to $50,000 per violation; capped at $25,000 per year
  • Tier 2 (reasonable cause): $1,000 to $50,000 per violation; capped at $100,000 per year
  • Tier 3 (willful neglect, corrected): $10,000 to $50,000 per violation: capped at $250,000 per year
  • Tier 4 (willful neglect, not corrected): $50,000 per violation; capped at $1.5 million per year

Once again, we welcome this change because, as we said before, the costs incurred by the victim of a breach far exceed the OCR penalties, so they really weren't working as a deterrent, and were instead just adding to an already incredibly expensive experience.

What we hope readers don't think is that the pressure is off to comply with HIPAA or take their cybersecurity investment seriously. We're in an epidemic of breaches caused by sophisticated attackers, novices, internal mistakes, and procedural failures. It was never the penalty that was going to be your most costly component.

Additionally, NIST has just issued a revision of 800-66 that updates best practices for meeting the Security Rule requirements under HIPAA. Basically, while the penalty caps may be reduced, the expectations have increased, and therefore so has the likelihood of being penalized by OCR.

Do not let your guard down. Every healthcare facility in the US is a target, and you must stay vigilant. Recurrent training, reviewing procedures, regular assessments, and network vulnerability tests should be in place. If you need assistance with any of this, we can help.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top