Under HIPAA-HITECH Act, penalties for violation of the Privacy rules were pegged at a maximum of US Dollars 1.5 million per type of violation. The caps would apply to violations of each specific HIPAA requirement or prohibition in a given year, not to all HIPAA violations in a given year.
For example, if a covered entity violated more than one HIPAA requirement or prohibition, the cap could be multiplied by the number of different HIPAA provisions violated.
Now, as per a recent order, HHS has changed the rules related to the application of maximum penalties. It will no longer be $1.5 million per violation per year. It would be different for different types of violations.
Until further notice by the HHS, annual caps on penalties for a violation of a HIPAA requirement or prohibition will range from $25,000 for an unknowing HIPAA violation; $100,000 for a HIPAA violation due to reasonable cause but not due to willful neglect; $250,000 for willful neglect corrected within 30 days; and $1.5 million for willful neglect not corrected within 30 days.