New Tiers for HIPAA Penalties

I’d been meaning to post this for a while, but got a little distracted with all the other news. Better late than never. HHS and OCR have changed the penalties associated with a HIPAA violation. You can see the details of the new enforcement discretion here. The notification says that after further review of the HITECH Act, they needed to adjust the penalties associated with a HIPAA violation.

Here’s a look at the HIPAA Penalties before the changes:

And here’s a look at the new HIPAA Penalties:

These seem like good changes to the penalties. As my hacker friend always told me, you can make it hard for someone to breach you, but you can never ensure 100% security. It’s more a matter of making it hard enough to breach your organization so that hackers choose to go and hack someone easier. Of course, with phishing and social hacking, it’s really impossible for any CIO to be confident that they’ll never be breached. That’s why I like the changes to the penalties. Breaches happen to even the best of them.

What do you think of these changes? Are these good? Do you think they’re too easy on those who incur penalties? Will these softer penalties mean that healthcare organizations will worry less about their security? Share your thoughts with us in the comments and on Twitter with @HealthcareScene.

About the author

John Lynn

John Lynn

John Lynn is the Founder of, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • I am a Managed Service Provider and I have dropped client’s that did care about HIPAA and mentioned that they will deal with the audit when and if it happens. They were almost didn’t care even if the fines were so high. Now that the fines are lowered, they almost won’t even think about HIPAA or HIPAA fine.

  • Jay,
    I’ve seen this myself. I had one doctor go so far as to say, “They can’t throw us all in jail.” That’s a scary mindset to have that will likely catch up to those organizations.

  • With a lower bar for fines, wouldn’t the OCR be more apt to issue a higher number of fines (instead of a few large ones)? The average settlement is just over $1.5M. With the Trump Administration cutting the OCR’s operating budget from $29M to $20M, this is not a coincidence.

  • It’s a good question Steven. I’m not sure this changes the number of fines that much. Your point about creating enough revenue to stay alive is an interesting one, but I don’t think that’s really how they approach the fines. So, I think it will be more or less business as usual as far as number of fines.

Click here to post a comment