The Final Rule retains the increased civil monetary penalties for HIPAA violations that were set forth under the HITECH Act. The new tiered penalty system currently applies to Covered Entities (CE) and under the Final Rule it will be applicable to Business Associates (BA) and their subcontractors. The penalty amounts range from $100/violation, up to a maximum penalty of $1.5 million for violations of the same HIPAA provision in a calendar year. Penalties in the four-tiered system increase based on the level of culpability. The lowest level of penalties ($100 to $50,000 per violation) applies to situations where the CE or BA did not know about the HIPAA violation. The highest penalty level, which starts at $50,000 per violation, applies when the CE or BA demonstrated “willful neglect” in violating HIPAA, and it failed to correct the violation.
Taken in part from: Miller & Martin, PLLC 3/8/2013