These penalties are based on a tiered approach, as follows:
· No Knowledge. Where a person does not know, and by exercising due diligence would not have known, that the person violated HIPAA's administrative simplification provisions; the minimum penalty is $100 per violation, with a cap of $25,000 for violations of an identical requirement or prohibition. The maximum penalty is $50,000 per violation, with a cap of $1.5 million for violations of an identical requirement or prohibition.
· Reasonable Cause. Where a violation is due to "reasonable cause" and not "willful neglect," the minimum penalty is $1,000 per violation, with a cap of $100,000 for violations of an identical requirement or prohibition. The maximum penalty is $50,000 per violation, with a cap of $1.5 million for violations of an identical requirement or prohibition.
· Willful Neglect (but Corrected). Where a violation is due to "willful neglect," but was corrected, the minimum penalty is $10,000 per violation, with a cap of $250,000 for violations of an identical requirement or prohibition. The maximum penalty is $50,000 per violation, with a cap of $1.5 million for violations of an identical requirement or prohibition.
· Willful Neglect (but not Corrected). Where a violation is due to "willful neglect," but was not corrected, the minimum penalty is $50,000 per violation, with a cap of $1.5 million for violations of an identical requirement or prohibition. Additionally, there can be individual penalties of as much as $25,000 per violation or up to $250,000 or 10 years in prison for information knowingly and wrongfully disclosed.