Health care providers are now facing significantly higher penalties for HIPAA violations, courtesy of an HHS final rule released Jan. 17. The HIPAA Enforcement final rule, which was part of an omnibus HIPAA rule,  raised the cap on annual civil monetary penalties for HIPAA violations  from $25,000 to $1.5 million, and created a new four-tier structure for imposing penalties.

The four tiers include:

• providers who did not know about any HIPAA violations;
• providers who had HIPAA violations due to reasonable causes;
• providers who had HIPAA violations due to willful neglect, but who took timely steps to remedy their violations; and
• providers who had HIPAA violations due to willful neglect but did not take timely steps to remedy the violations.

Penalties will vary by category, with the lowest penalties (no less than $100 and no more than $50,000 per violation)  being imposed on providers who did not know about their violations. At the high end of the scale, penalties will be no less than $50,000 per violation. I spoke with Ramy Fayed, an attorney with SNR Denton, and he told me that the higher penalties were expected. Fayed said the penalties wouldn't be especially burdensome to any providers who have been operating under effective privacy and security compliance programs.