The proposed removal of limits on HIPAA fines

A new legislative proposal aims to raise the bar for data protection. The Health Infrastructure Security and Accountability Act (HISAA) proposes stronger enforcement mechanisms, enhanced cybersecurity standards, and the removal of statutory caps on HIPAA violation fines. The change could increase penalties for non-compliant entities and raise serious challenges for smaller providers.

Steve Cagle, CEO of Clearwater, a leading healthcare cybersecurity firm, has voiced caution over the bill's potential impact. “Removing caps on fines will only have an impact if there is stronger enforcement of the existing HIPAA regulations and application of the fines,” he said in a recent interview with Healthcare Innovation. “To date, there has been limited enforcement, which is generally related to HIPAA violations from up to five years ago.”

What are HIPAA violation fines 

Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is a concern for healthcare organizations and business associates handling protected health information (PHI). Failure to adhere to HIPAA regulations can result in financial penalties, known as HIPAA violation fines. 

Understanding the HIPAA penalty structure

The HIPAA penalty structure is designed to hold covered entities and business associates accountable for HIPAA violations. According to the Federal Register, the penalties are categorized into four tiers, with the level of culpability determining the minimum and maximum fines per violation, as well as the annual penalty limit.

Tier 1: Reasonable efforts

This tier applies to violations where the covered entity or business associate was unaware of the infringement and could not have reasonably avoided it, even with a reasonable amount of care. The minimum penalty per violation is $137, with a maximum of $68,928 and an annual penalty limit of $2,067,813.

Tier 2: Lack of oversight

Violations in this tier are those that the covered entity or business associate should have been aware of but could not have avoided, even with a reasonable amount of care. The minimum penalty per violation is $1,379, with a maximum of $68,928 and an annual penalty limit of $2,067,813.

Tier 3: Neglect with correction

This tier covers violations resulting from "willful neglect" where the covered entity or business associate has attempted to correct the issue. The minimum penalty per violation is $13,785, with a maximum of $68,928 and an annual penalty limit of $2,067,813.

Tier 4: Neglect without correction

The most severe tier applies to violations of HIPAA attributable to willful neglect, where no attempt has been made to correct the violation. The minimum penalty per violation is $68,928, with a maximum of $2,067,813 and an annual penalty limit of $2,067,813.

Notably, the penalty amounts are adjusted annually to account for cost-of-living increases, and the Office of Management and Budget (OMB) sets the inflation multiplier each year.

Read also: What are the penalties for breaching HIPAA

What the HISAA bill proposes

Introduced by Senators Elizabeth Warren and Ron Wyden, HISAA tries to enforce minimum and enhanced security standards for both covered entities and business associates under HIPAA. These standards would be updated at least every two years to account for emerging threats. Additionally, the bill would authorize the Department of Health and Human Services (HHS) to conduct annual cybersecurity audits.

One of HISAA’s changes is the elimination of caps on HIPAA fines, designed to deter negligence, especially among large corporations that may view fines as merely the cost of doing business. “This could have unforeseen impacts, particularly on smaller organizations,” Cagle warned. “The healthcare sector needs stronger resources and financial support for smaller hospitals and healthcare provider groups.”

The impact on healthcare organizations

For many healthcare entities, HISAA would require substantial updates to cybersecurity infrastructure. The bill mandates risk assessments for internal systems and third-party vendors, a required provision given the frequency of supply chain attacks.

“The fact of the matter is that these practices are not new,” Cagle explained. “They are based on minimal industry standards that have existed for some time in the NIST Cybersecurity Framework and the 405(d) Health Industry Cybersecurity Practices Guide.”

However, adoption has been uneven. “Some healthcare organizations are already following these practices and, in many cases, are going well beyond basic security controls,” said Cagle. “Others choose not to adhere to these standards in the manner they should; therefore, creating a requirement to meet standards would clarify what security practices are mandatory and level the playing field across the industry.”

The bill also calls for the creation and stress testing of incident response, disaster recovery, and business continuity plans. “We must assume that no matter how strong a cybersecurity program is, at some point, there will be a security incident,” said Cagle. “The ability to detect, contain, respond, operate under duress, and recover will ultimately determine the impact on patient safety and compromise of ePHI.”

Accountability at the executive level

One of the bill’s most hotly debated provisions is a requirement for CEOs and CISOs to attest publicly that their organizations comply with cybersecurity standards. “This proposal has received a lot of attention in the industry,” Cagle said. “Many think that it may further dissuade CISOs, who already accept lower pay and fewer resources, from working in healthcare organizations, as they may be held accountable for nonconformances they cannot control due to lack of funding and support.”

A broader view of responsibility

HISAA wisely broadens its scope beyond hospitals and includes business associates in its requirements. “Healthcare is an interconnected sector, with information and technology shared among many parts of the supply chain,” Cagle explained. “Future regulations must hold all organizations accountable and not just single out hospitals or other types of healthcare organizations.”

Good faith vs. negligence

Cagle discusses the need to distinguish between organizations that act responsibly and those that ignore basic standards. “It is not reasonable and unfair to punish a healthcare provider acting responsibly but attacked and violated by a criminal,” he said. “This is different from a situation where an organization’s management team knowingly did not implement basic cybersecurity practices, ignored the risk analysis requirement under the HIPAA Security Rule, or failed to address high risks knowingly while having the means to do so.”

According to Cagle, organizations that continuously assess their systems and follow best practices—such as NIST and 405(d)—are acting in good faith. “Risk never goes to zero,” he noted. “Even the most compliant organizations can fall victim to nation-state-backed cybercriminals.”

Consequences of removing fine caps

Without increased enforcement, simply removing fine caps may do little to change the current situation. “More funding would need to be allocated to investigation and enforcement actions to assess larger fines,” said Cagle. “This money would be better spent on funding cybersecurity programs for those organizations without the means or resources to meet the standards.”

Incentivizing improvement, not just punishing failure

Cagle advocates for a more balanced strategy. “Perhaps we can use the fines and penalties raised from larger organizations that have the means but are negligent to help fund grants for smaller organizations that want to improve their cybersecurity posture but cannot afford to do so.”

He added, “Smaller healthcare providers need support rather than being threatened with penalties.”

The case for a certification model

Another concern is the potential inconsistency in third-party audits. “As we see today in healthcare, numerous firms misrepresent their assessments as ‘HIPAA certifications’ or incorrectly say they have performed a ‘risk analysis,’” said Cagle.

He suggests a model similar to the Cybersecurity Maturity Model Certification (CMMC) or PCI DSS. “Assessors must be certified and maintain strict credentials and requirements themselves,” he said. “That would be beneficial to ensure quality and consistency.”

Final thoughts

“There is no one-size-fits-all solution,” Cagle concluded. “A balanced approach that considers organization size, resources, and interconnected risks will strengthen healthcare cybersecurity.”

The proposed HISAA bill is a step forward, but it must be paired with thoughtful implementation. Without funding and support, many smaller providers may be left behind—even punished—for circumstances beyond their control. Combining enforcement with incentives and clearly defined standards can help create a more secure and equitable healthcare environment.

As cyberattacks grow more sophisticated, the stakes are too high for patchwork solutions. A collaborative, well-funded strategy is required to protect both patient data and the healthcare providers who care for them.

FAQs

Is there a database for HIPAA violations?

All information on HIPAA violation cases is provided by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in their HIPAA Resolution Agreements overview. For the full list of HIPAA breaches and fines, you can visit OCR's Breach Portal.

What is an example of a HIPAA violation email?

• Failing to use an email encryption service. 
• Not having patient authorization for email communications, but sending them an email anyway. 
• Include PHI in the subject line of your email. 
• Sending an email with PHI to the wrong patient.
  
  

What is the most common violation of HIPAA?

The HHS (Department of Health and Human Services) and state attorneys general cite “failure to implement proper access controls” for protecting patient information as one of the most common HIPAA violations by healthcare services.

See also: HIPAA Compliant Email: The Definitive Guide