Benefits Law Update
        Practical advice from Verrill attorneys

        Enhanced Penalties and Stiffer Enforcement for HIPAA Violations

        by Eric D. Altholz on April 7, 2013

        In our two prior posts concerning the Final Omnibus Rule under HIPAA we focused on changes to the breach notification requirements and rule changes affecting business associates. We now turn to the augmented penalty and enforcement provisions incorporated in the Final Rule. Many commentators have perceived stepped up enforcement activity by the U.S. Department of Health and Human Services (“HHS”) and the changes in the penalty and enforcement provisions suggest that there will be much more of that to come.

        Under HIPAA covered entities and business associates can be subject to both civil and criminal penalties for violations for privacy and security requirements. Prior to the HITECH Act, HIPAA authorized civil monetary penalties of up to $100 per violation, with a maximum aggregate penalty of $25,000 per year for any given violation. Moreover, civil penalties were generally imposed only in egregious cases – with the Office of Civil Rights (the division of HHS charged with HIPAA enforcement) essentially directed first to use other means to assist in the correction of violations and to resolve complaints. The Final Rule incorporates the increases in civil penalties authorized under the HITECH Act and introduces a tiered penalty structure designed to reflect the nature and circumstances of the violation.

        Under the Final Rule the maximum penalty for a given HIPAA violation is $1.5 million, and the penalty to be assessed corresponds to the level of culpability that characterizes the violation:

        1. If the covered entity or business associate did not know of the violation and would not have known of the violation by exercising reasonable due diligence, a civil penalty of $100 to $50,000 per violation may be assessed.
        2. If the violation was due to “reasonable cause” (defined as an act or omission that “a covered entity or business associate knew, or by exercising reasonable due diligence would have known” violated a HIPAA provision, but that does not constitute willful neglect), the civil penalty will be $1,000 to $50,000 per violation.
        3. If the violation was the result of willful neglect, but was corrected within 30 days of discovery, a civil penalty of $10,000 to $50,000 per violation may be assessed.
        4. If the violation was the result of willful neglect and was not corrected in a timely fashion, the civil penalty will be $50,000 to $1.5 million per violation.

        Note that the penalties assessed against a covered entity or business associate may well exceed $1.5 million if multiple HIPAA requirements have been violated because each category of violation may be counted separately (in addition to counting multiple violations of the same provision).

        Importantly, the Final Rule provides an affirmative defense for any violation in tier 1 (unknown and “unknowable” violations) and tier 2 (violations due to “reasonable cause”) if the violation is corrected within 30 days of the date the covered entity or business associate learned or should have learned of the violation. The Final Rule allows some discretion to expand this 30 day time period depending upon the nature and extent of the covered entity’s or business associate’s failure to comply.

        The Final Rule also makes two changes to the HIPAA enforcement scheme that would appear to foreshadow increases in both the severity and potential scope of enforcement activity. First, HHS is no longer required to attempt to informally resolve complaints. Rather, the Final Rule gives HHS discretion to determine whether it will attempt informal resolution of a complaint or proceed with a formal penalty assessment process right away. (Indeed, given the structure of the civil penalty tiers, it would appear that a penalty is to be assessed unless the covered entity or business associate can show that the violation was not due to willful neglect and was corrected within 30 days.) Second, subject to the applicable limitations of HIPAA, HHS may now share information gathered in any investigation or compliance review with other law enforcement agencies (such as state Attorney General offices) that might have an interest in pursuing their own investigations.

        One final observation for employers that sponsor self-funded group health plans. The Final Rule expressly provides for the assessment of civil penalties against a covered entity for HIPAA violations committed by a business associate acting as its agent. In determining whether an “agency” relationship exists, HHS will apply federal common law principles concerning a covered entity’s “right or authority to control” a business associate to determine whether the business associate is acting as an agent (regardless of the whether a business associate agreement is in place). This means that employers – who essentially act as surrogates for their self-funded group health plans for HIPAA purposes – will need to be more vigilant than ever in monitoring the activities of their business associates and should seek to enhance the contractual protections that can be negotiated into business associate agreements (for example, through indemnification provisions).

        Clearly, in the area of HIPAA enforcement, the honeymoon is over.

        Benefits Law Update

        Verrill’s Benefits Law Update blog delivers timely insights and practical guidance on the ever-evolving landscape of employee benefits and executive compensation. Our blog provides up-to-date analysis and commentary on a wide range of topics, including timely updates on developments in law affecting employee benefit plans and executive compensation arrangements.

        Subscribe

        Looking for more great content? Subscribe for regular legal updates and information delivered right to your inbox.

        Firm Highlights

        Alerts and Newsletters

        Maine’s New Employer Surveillance Law, 26 M.R.S. § 620-A

        Effective July 14, 2026 Maine employers that electronically monitor employees must comply with a new disclosure law effective July 14, 2026. Under...
        Press Releases

        Verrill Recognized by U.S. News as One of the Best Law Firms to Work for in 2026

        BOSTON, Mass., BANGOR and PORTLAND, Maine, GREENWICH and WESTPORT, Conn., – Verrill has been featured on U.S. News’ 2026 Best Companies to Work...
        Blog

        SECURE 2.0 Roth Catch-Up Rules and the 403(b) 15-Year Catch-Up: What Tax-Exempt Employers Need to Know

        Tax-exempt employers whose 403(b) plans offer catch-up contributions for participants age 50 and above should be well on their way to compliance with...
        Media Mentions

        Robert Keach Quoted in Law360 on SIMAD Summer Camp Bankruptcy Sale

        Verrill attorney Robert Keach was recently quoted in a Law360 article examining the Chapter 11 bankruptcy proceedings involving SIMAD Holdings and...
        Media Mentions

        Chris Tsouros Featured in Law360’s Coverage of Sports Real Estate Deals

        Verrill Partner Chris Tsouros was recently recognized in a Law360 article highlighting law firms involved in significant sports real estate projects...
        Blog

        What Maine’s New Employer Surveillance Law Means for Maine Employers

        Maine employers who monitor their workforce, whether through productivity software, GPS, call recording, or cameras, have a new compliance obligation...
        Blog

        Run Don’t Walk: The Implication of “While Supplies Last” Prize Promotions

        This month a big-chain grocery store has been offering daily mystery boxes during specific timed drops on a first-come, first-served basis, to users...
        Blog

        Maine’s Noncompete Statute is Reshaped for Health Care Workers: What You Need to Know

        Employers of individuals who are licensed under state law to perform, or provide, health care services in the State of Maine should be prepared for...
        Media Mentions

        Steven Davis Featured in the Environmental Business Journal

        Steven Davis, President of Verrill Strategic Consulting, was recently interviewed and featured in the Environmental Business Journal, Volume 39...
        Blog

        What is a Bonus for Purposes of ERISA?

        An ongoing dispute about a Department of Labor advisory opinion published last September raises a basic but unanswered question under the ERISA: What...
        Media Mentions

        Verrill Recognized by WMTW for Partnership Supporting Hunger Relief in Maine

        Verrill was recently featured in coverage by WMTW News 8 for its role in a collaborative effort to combat food insecurity across southern...
        Press Releases

        33 Verrill Attorneys, Across Four Offices, Recognized in the 2026 Chambers USA Guide

        BOSTON, Massachusetts, PORTLAND, Maine, WESTPORT, Connecticut, and WASHINGTON, D.C. – Verrill has been recognized as a Leading Firm in 14...