There are four tiers of increasing penalty amounts that correspond to the levels of culpability associated with the HIPAA violation:
- (lowest category) Situations where the covered entity or business associate did not know and would not have known without exercising reasonable diligence
- Violations due to reasonable cause and not to willful neglect
- Violations due to willful neglect corrected within a certain time period
- (highest category) Violations due to willful neglect that are not corrected
The civil penalty is determined by the HHS Secretary, who will investigate the complaint and determine how to handle the HIPAA violation. Within one year, there is a maximum violation penalty of $1.5 million USD for all violations of the same kind.