Blog
← Back to Blog
February 20, 2023 medical

HIPAA Fines Just Got Bigger. Here's What Changed for 2023.

HIPAA penalty increases and enforcement for 2023

HHS has increased HIPAA civil monetary penalties for 2023, continuing a trend of escalating enforcement. The maximum penalty for a single violation category is now over $2 million. And OCR (the Office for Civil Rights) is pursuing more enforcement actions against smaller providers than ever before.

The New Penalty Tiers

  • Tier 1 (Did Not Know): $137 - $68,928 per violation
  • Tier 2 (Reasonable Cause): $1,379 - $68,928 per violation
  • Tier 3 (Willful Neglect, Corrected): $13,785 - $68,928 per violation
  • Tier 4 (Willful Neglect, Not Corrected): $68,928 per violation
  • Calendar year cap per violation category: $2,067,813

"Per violation" is key. If your HIPAA violation affects 500 patients, that's potentially 500 violations. The math gets ugly fast.

Right of Access Is the Enforcement Priority

Since 2019, OCR has pursued over 40 Right of Access enforcement actions, generating millions in settlements. The violations are simple: practices that took too long to provide patient records, charged excessive fees, or refused requests.

The smallest settlement: $3,500 from a solo dental practice. The lesson: nobody is too small for enforcement.

What's Being Enforced

  • Right of Access violations: Failing to provide records within 30 days, excessive fees, requiring specific request forms
  • Risk assessment failures: Not conducting a HIPAA risk assessment (the most commonly cited deficiency)
  • Lack of BAAs: Using cloud services, IT providers, or billing companies without signed Business Associate Agreements
  • Insufficient access controls: No MFA, shared passwords, excessive user privileges
  • Missing policies: No written HIPAA policies and procedures

Compliance Checklist for 2023

  1. Conduct a risk assessment. If you haven't done one, do it now. If it's more than a year old, update it. This is the single most commonly cited HIPAA deficiency.
  2. Fix your Right of Access process. 30-day response time. Cost-based fees only. Accept requests in any written format. Don't refuse third-party designees.
  3. Verify BAAs. Every vendor that touches PHI needs a signed BAA: cloud services, IT provider, billing company, shredding service, answering service.
  4. Document policies. Written policies for: access controls, breach notification, device encryption, workforce training, sanctions for violations.
  5. Train your workforce. Annual HIPAA training for all staff. Document attendance.
  6. Enable MFA. OCR has specifically cited lack of MFA in enforcement actions. Enable it on all systems containing PHI.

The penalties are higher, enforcement is more active, and small practices are in the crosshairs. Compliance isn't optional. It never was.