Adjusted Penalties for Violations of HIPAA Privacy, Security and Breach Laws

Enforcement of the HIPAA privacy, security and breach notification rules is delegated to the HHS Office for Civil Rights, in collaboration with the U. S. Department of Justice.  There are four tiers of civil penalties that could be imposed upon covered entities, as defined by the HIPAA Administrative Simplification laws in the event of any HITECH violations relating to breach of medical information.  HHS recently revised the amounts of potential penalties, which took effect on April 30, 2019.

Categories of Violations and Respective Penalty Amounts Available

Violation Category



Maximum Penalty/Violation

Annual Limit

Did not know a violation occurred




Violation due to reasonable cause and not willful neglect




Violation due to willful neglect but corrected




Violation due to willful neglect and not corrected



$1.5 million


The information contained in this article is provided as general guidance and may be affected by changes in law or regulation. This article is not intended to replace or substitute for accounting or other professional advice. Please consult a CBIZ professional. This information is provided as-is with no warranties of any kind. CBIZ shall not be liable for any damages whatsoever in connection with its use and assumes no obligation to inform the reader of any changes in laws or other factors that could affect the information contained herein.

Accelerated Recovery Resources

Access articles and tools to help your business generate cash, improve leverage, and align & transform as you recover from the pandemic.

COVID-19 Resources

Access all COVID-19 related articles to help your business respond to the pandemic.

Insights in Your Inbox