2018 was a banner year for HIPAA enforcement with the Department of Health and Human Services, Office for Civil Rights reaching an all-time record of $28.7 million in enforcement actions.  2018 surpassed the previous high of $23.5 million in enforcement actions in 2016.  The majority of these enforcement actions resulted from the occurrence of data breaches and other impermissible disclosures of patient information.  A consistent factor in these enforcement actions was the absence of sufficient adherence to the requirements of the HIPAA privacy and security rules relating to appropriate and/or effective policies and procedures.

The civil money penalties for HIPAA are based on a four tier system that was set forth in a 2013 final rule implementing portions of the 2009 HITECH Act. The four tier system takes into account the level of culpability associated with the alleged HIPAA violation. The four tiers range from violations in which a HIPAA covered entity had no knowledge of the alleged violation prior to its occurrence to violations in which the covered entity willfully neglected its HIPAA obligations and failed to correct known violations in a timely manner.  Despite the four tiers being based on the level of culpability of the HIPAA covered entity, each of the four tiers had the same maximum annual civil money penalty limit of $1,500,000.

On Friday, April 26, 2019, HHS released an unpublished rule scheduled for official publication on April, 30, 2019, revising the maximum civil money penalty limits of the four tiers.  The revised limits are set forth below.

Essentially, the new revisions to the rule, limit the total annual penalty amount that a covered entity may incur based on that entity’s level of culpability for the alleged violations. The lower the level of culpability the lower the annual limit for civil money penalties.  This change provides a tangible reward for HIPAA covered entities and business associates that take the time to implement and periodically update policies, procedures and practices aimed at complying with the HIPAA privacy and security rule.

Bill Dillon is Board Certified in Health Law by the Florida Bar and holds the Certified Information Privacy Professional credential (CIPP/US) from the International Association of Privacy Professionals.  He is a member of Gunster’s government affairs and health law practices.

Yes! Please sign me up to receive email alerts from other Gunster practice areas.

This publication is for general information only. It is not legal advice, and legal counsel should be contacted before any action is taken that might be influenced by this publication.

About Gunster

Gunster, Florida’s law firm for business, provides full-service legal counsel to leading organizations and individuals from its 12 offices statewide. Established in 1925, the firm has expanded, diversified and evolved, but always with a singular focus: Florida and its clients’ stake in it. A magnet for business-savvy attorneys who embrace collaboration for the greatest advantage of clients, Gunster’s growth has not been at the expense of personalized service but because of it. The firm serves clients from its offices in Boca Raton, Fort Lauderdale, Jacksonville, Miami, Orlando, Palm Beach, Stuart, Tallahassee, Tampa, The Florida Keys, Vero Beach, and its headquarters in West Palm Beach. With nearly 200 attorneys and 200 committed support staff, Gunster is ranked among the National Law Journal’s list of the 500 largest law firms and has been recognized as one of the Top 100 Diverse Law Firms by Law360. More information about its practice areas, offices and insider’s view newsletters is available at

Find a Professional

by Name

by Practice/Office