HHS Applies Inflation Increase to Penalties for HIPAA Violations

Posted by Steve Alder

The HHS’ Office for Civil Rights has increased the penalties for HIPAA violations with immediate effect. As of January 28, 2026, the penalties have been increased in line with inflation, as mandated by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. Annual adjustments to the penalty amounts are necessary to maintain the deterrent effect of financial penalties.

When the HITECH Act was introduced, the penalties for HIPAA violations were set as follows:

  • Tier 1: Minimum fine of $100 per violation up to $50,000
  • Tier 2: Minimum fine of $1,000 per violation up to $50,000
  • Tier 3: Minimum fine of $10,000 per violation up to $50,000
  • Tier 4: Minimum fine of $50,000 per violation up to $1,500,000

The penalties were capped at $1,500,000 for violations of an identical provision in a calendar year, and all penalties are subject to annual increases in line with inflation. OCR, like all other Executive Departments and Agencies, is required to apply annual increases to its penalty amounts. Each year, the Office of Management and Budget (OMB) issues a Memorandum that includes a multiplier for the annual adjustment.

All Executive Departments and Agencies are required to apply the multiplier by the specified date, which for the 2025 increase was January 17 last year. The HHS is often late in applying the annual adjustment to its penalties. The previous adjustment to the penalty amounts was applied on August 8, 2024. While the 2025 adjustment was due to be applied by January 17, 2025, it was not applied until January 28, 2026, more than a year late. OMB has yet to announce the inflation multiplier for 2026.

The new penalty amounts are effective from the date of publication in the Federal Register. If the violation occurred before November 2, 2015, or a penalty was assessed before September 6, 2016, the pre-adjustment civil penalty amounts in effect before September 6, 2016, will apply.

2025 Penalties for HIPAA Violations

Penalty Tier Minimum Penalty Maximum Penalty Annual Penalty Cap
Did Not Know $145 $73,011 $2,190,294
Reasonable Cause $1,461 $73,011 $2,190,294
Willful Neglect (Corrected within 30 days) $14,602 $73,011 $2,190,294
Willful Neglect (Not corrected) $73,011 $2,190,294 $2,190,294

While these are the official penalty amounts, OCR has not rescinded its 2019 Notice of Enforcement Discretion. In 2019, OCR reviewed the text of the HITECH Act and determined there had been a misinterpretation. OCR issued a Notice of Enforcement Discretion, lowering the maximum penalties and annual caps in three of the four penalty tiers. The effective penalties for HIPAA violations, per the Notice of Enforcement Discretion, are detailed in the table below. OCR can rescind the Notice of Enforcement Discretion at any point, but cannot change the penalties detailed in the table above without further rulemaking.

Penalty Tier Minimum Penalty Maximum Penalty Annual Penalty Cap
Did Not Know $145 $36,505.50 $36,505.50
Reasonable Cause $1,461 $73,011 $146,053
Willful Neglect (Corrected within 30 days) $14,602 $73,011 $365,052
Willful Neglect (Not corrected) $73,011 $2,190,294 $2,190,294

Penalties for Violations of the Part 2 Regulations

Violations of the Part 2 regulations are now enforced by OCR, following the update to the Part 2 regulations to align them more closely with HIPAA. While violations are penalized with the same penalty structure as HIPAA, the penalties are not the same. OCR has taken the starting point to be the penalty amounts stipulated by the HITECH Act of 2009, rather than the current penalty amounts for HIPAA violations, which have increased annually in line with inflation since 2009. As such, violations of the Part 2 regulations are penalized less severely than violations of the HIPAA Rules, despite Part 2-covered data being considered more sensitive. Per the recent publication in the Federal Register, the penalties for violations of the Part 2 regulations are as follows.

Penalty Tier Minimum Penalty Maximum Penalty Annual Penalty Cap
Did Not Know $103 $51,299 $1,538,970
Reasonable Cause $1,026 $1,538,970 $1,538,970
Willful Neglect (Corrected within 30 days) $10,260 $1,538,970 $1,538,970
Willful Neglect (Not corrected) $51,299 $1,538,970 $1,538,970

The post HHS Applies Inflation Increase to Penalties for HIPAA Violations appeared first on The HIPAA Journal.

HIPAA Training for IT Professionals

Posted by Steve Alder

HIPAA training for IT professionals is required for IT workforce members who support systems that create, receive, maintain, or transmit protected health information (PHI), because HIPAA compliance depends on administrative, physical, and technical safeguards being implemented and followed consistently.

Why HIPAA Training is Necessary for IT Professionals

IT professionals influence how PHI is protected more directly than most job functions because they design, configure, administer, and monitor the systems that store and move electronic protected health information (ePHI). Even when an IT role is not clinical, IT staff may access logs, databases, backups, ticketing systems, and troubleshooting data that contain PHI. HIPAA training helps IT teams understand the privacy and security expectations that apply to their work, the consequences of misconfiguration or improper access, and the operational behaviors that reduce the risk of unauthorized access, improper disclosure, or data loss.

HIPAA training for IT should connect the HIPAA Privacy Rule and the HIPAA Security Rule to real technology workflows. IT personnel need to understand how permitted uses and disclosures relate to system administration activities, how minimum necessary applies to troubleshooting and access, and how privacy obligations intersect with incident response, auditing, and vendor management. Training should also reinforce that compliance is supported by documented policies and procedures and that IT work must align with those requirements.

IT teams can encounter PHI in many forms beyond the electronic health record. Common exposure points include directory services, authentication logs, audit trails, access reports, help desk tickets, screenshots, email archives, voicemail systems, call recordings, mobile device management platforms, endpoint logs, application databases, and data exports used for reporting or integrations. Backups and disaster recovery replicas often contain complete PHI datasets, which makes secure access control and monitoring essential. IT professionals should be trained to recognize that even metadata and identifiers, when linked to care context, can constitute PHI.

Training should address how PHI can be unintentionally copied into insecure places. Examples include attaching screenshots with PHI to tickets without proper controls, using unapproved file-sharing tools to transfer logs, storing database extracts on local drives, or leaving PHI in temporary folders after troubleshooting. Training should reinforce approved methods for handling sensitive information during support and maintenance work.

Core IT Security Systems for Protecting PHI

A comprehensive HIPAA training program for IT professionals should reinforce the practical application of HIPAA requirements to technology operations, including the following areas.

Access controls and identity management

IT staff should understand the importance of unique user identification, strong authentication, least privilege, and timely access termination. Training should reinforce standardized provisioning and deprovisioning workflows, periodic access reviews, and the importance of aligning access with documented authorization and job duties. IT professionals should also understand how privileged accounts are controlled, monitored, and audited, and why shared credentials increase compliance and security risk.

Audit controls, monitoring, and logging

IT professionals should be trained on how audit logs support compliance, investigations, and breach analysis. Training should reinforce secure log retention, integrity controls, and monitoring processes that detect abnormal access patterns. IT teams should understand that log access itself can expose PHI, and access to logs should be controlled, justified, and documented according to policy.

Transmission and encryption practices

Training should cover secure transmission methods, including the approved use of encryption and secure portals when PHI is sent externally or transmitted between systems. IT staff should understand the organization’s standards for encryption at rest and in transit, key management practices, and how configuration choices can unintentionally downgrade security. Training should also address common risk areas such as email security, secure messaging platforms, VPN and remote access controls, and the secure configuration of APIs and interfaces that connect clinical systems.

Device and endpoint security

IT professionals should be trained on device management controls that protect ePHI across workstations, laptops, mobile devices, and shared clinical terminals. Training should reinforce patch management, endpoint protection, hardening standards, secure configuration baselines, and the handling of removable media. IT teams should understand how kiosk and shared device workflows are secured and how lockout and timeout policies reduce exposure.

Data lifecycle management

Training should address how PHI is managed across creation, storage, use, sharing, archival, and disposal. IT staff should understand retention requirements, secure deletion practices, and how to prevent PHI from being stored in unapproved locations. Backup and disaster recovery should be covered, including access controls for backup repositories, secure restoration workflows, and segregation of duties.

Incident response and breach support

IT professionals should understand the organization’s incident response process, their responsibilities during security events, and the importance of timely escalation. Training should reinforce how to preserve evidence, avoid altering logs, and coordinate with privacy and compliance teams. IT staff should be trained to recognize indicators of compromise and to report suspected incidents immediately, including phishing, credential theft, ransomware, misdirected data transfers, and misconfigurations that expose systems.

HIPAA Training for IT Professionals Working in HIPAA Covered Entities

When IT professionals work within a HIPAA Covered Entity, training should align with the Covered Entity’s policies and procedures and the operational realities of supporting clinical and administrative systems. Covered Entity IT staff should understand how HIPAA training applies to all workforce members, including management, and how their work supports organizational safeguards and compliance documentation. Training should reinforce internal processes for access authorization, change management, security risk management activities, and system maintenance. It should also address internal expectations for handling PHI during support, including how to minimize the amount of PHI used for troubleshooting and how to document access when required by policy.

Covered Entity training should also reinforce appropriate communication practices with users and departments. IT staff may receive requests for screenshots, data extracts, or configuration changes that affect PHI access. Training should emphasize that IT teams should follow approved workflows, verify requester identity and authority, and escalate uncertain requests rather than bypassing controls for convenience. IT professionals should also understand the organization’s process for privacy complaints and how IT evidence supports investigations.

HIPAA Training for IT Professionals Working in HIPAA Business Associates

When IT professionals work for a HIPAA Business Associate, training should address the additional expectations that apply to Business Associate employees and the scope limitations of working with PHI on behalf of Covered Entities. Business Associate IT staff should understand that access to PHI is permitted only to support contracted services and that information should not be used or disclosed outside that scope. Training should reinforce how minimum necessary applies to maintenance, monitoring, and support activities and why Business Associate staff must follow contractual requirements for security controls, incident reporting, and cooperation during investigations.

Business Associate training should emphasize incident reporting obligations and escalation pathways, including the requirement to report suspected incidents promptly according to internal policy and contractual terms. It should also cover how subcontractors are managed when they may handle PHI, including the need to ensure appropriate agreements and security controls are in place. Business Associate IT teams should understand that multi-tenant environments, shared infrastructure, and customer segmentation controls must be configured and monitored carefully to prevent cross-customer exposure of PHI.

Effective HIPAA Training for IT Professionals

An effective HIPAA Training program should be practical, measurable, and aligned with organizational policies and technical operations. Training should be delivered within a reasonable period after hire and reinforced when responsibilities change or when systems and policies are updated. Refresher training should be provided regularly, and annual training is commonly used as an industry best practice. Organizations should document completion, retain training materials, and maintain evidence of any knowledge checks or assessments. Training effectiveness improves when it is paired with ongoing security awareness activities, such as brief updates about new phishing campaigns, reminders about secure ticket handling, and reviews of recent incidents and lessons learned.

HIPAA training for IT professionals supports HIPAA compliance by ensuring IT staff understand how to protect PHI and ePHI through secure access controls, monitoring, encryption, endpoint security, and disciplined incident response. Training should account for whether IT professionals work within a HIPAA Covered Entity or a HIPAA Business Associate and should include cybersecurity training focused on medical records and modern attack methods. Online training supports consistent delivery, flexible completion, and documented completion records, which helps IT teams and compliance programs maintain strong privacy and security practices over time.

The post HIPAA Training for IT Professionals appeared first on The HIPAA Journal.

Four Healthcare Providers Settle Class Action Lawsuits Over Data Breaches

Posted by Steve Alder

Settlements have been agreed to resolve class action lawsuits over healthcare data breaches experienced by Alabama Cardiovascular Group, Carolina Arthritis Associates, Rocky Mountain Gastroenterology Associates, and Regional Obstetrical Consultants.

Alabama Cardiovascular Group Data Breach Settlement

Alabama Cardiovascular Group has settled a class-action data breach lawsuit arising from a data security incident detected on July 2, 2024. The investigation confirmed that an unauthorized third party accessed its network between June 6, 2024, and July 2, 2024, and exfiltrated files containing patient and employee information. Data compromised in the incident included names, contact information, Social Security numbers, health insurance information, and medical information. The data breach affected 280,534 individuals.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated into a single action – Tammy Brown et al., v. Alabama Cardiology Group P.C. d/b/a Alabama Cardiovascular Group – in the Circuit Court for Jefferson County, Alabama. The consolidated lawsuit asserts claims of negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, and breach of fiduciary duty. Alabama Cardiovascular Group denies all claims of liability and wrongdoing, and disagrees that the data breach caused any harm to the affected patients and employees; however, to avoid the cost of protracted litigation and the uncertainty of trial and related appeals, the decision was taken to settle the lawsuit.

Under the terms of the settlement, Alabama Cardiovascular Group has agreed to establish a $2,225,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards for the class representatives, and benefits for the class members. Class members are entitled to submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, class members may choose to receive a pro rata cash payment, which will be paid from the residual funds after costs and expenses have been deducted and claims have been paid. Regardless of the cash payment chosen, class members are entitled to two years of credit monitoring services. The deadline for exclusion and opting out is February 4, 2026. Claims must be submitted by March 6, 2026, and the final approval hearing has been scheduled for March 20, 2026.

Carolina Arthritis Associates Data Breach Settlement

Carolina Arthritis Associates has agreed to settle a consolidated class action lawsuit over a September 2024 data breach. The Carolina Arthritis Associates data breach was identified on September 27, 2024, and the investigation determined that files containing patient data may have been exfiltrated from its network between September 26, 2024, and September 30, 2024.

The file review confirmed that names, birth dates, treatment/procedure information, medical record numbers, provider names, and Social Security numbers may have been stolen. Up to 36,961 individuals were affected by the data breach. Multiple class action lawsuits were filed in response to the data breach, alleging that Carolina Arthritis Associates failed to implement reasonable and appropriate security measures to protect sensitive data on its network. The lawsuits were consolidated – In re Carolina Arthritis Associates Data Incident Litigation – in the General Court of Justice, Superior Court Division for New Hanover County, North Carolina. Carolina Arthritis Associates denies all claims of wrongdoing and liability but agreed to settle the litigation to avoid the cost and time of protected litigation and the uncertainty of trial.

Carolina Arthritis Associates has agreed to establish a $600,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. After those costs have been paid, the remainder of the settlement fund will be used to pay benefits to the class members. Class counsel and the class representatives believe the settlement is fair, and the settlement has received preliminary approval from the court.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, a claim may be submitted for a pro rata cash payment, estimated to be $100 per class member. The cash payments may be increased or decreased based on the number of claims received. In addition, credit monitoring and identity theft protection services have been offered to the affected individuals for two years. The deadline for objection and opting out of the settlement is February 6, 2026. The deadline for submitting a claim is February 23, 2026. The final fairness hearing has been scheduled for March 10, 2026.

Regional Obstetrical Consultants Data Breach Settlement

Regional Obstetrical Consultants has settled a class action lawsuit over a May 2024 data breach affecting 25,787 current and former patients. An unauthorized third party gained access to its network on or around May 6, 2024, and potentially obtained names, dates of birth, addresses, phone numbers, medical record numbers, insurance ID numbers, diagnoses, medical histories, and procedure information. The affected individuals were notified on January 22, 2025.

Three class action lawsuits were filed against Regional Obstetrical Consultants over the data breach. The lawsuits had overlapping claims, and were consolidated into a single action – Heidi Davis et al. v. Regional Obstetrical Consultants, P.C. – in the Chancery Court of Hamilton County, Tennessee. The consolidated lawsuit alleged the data breach occurred as a result of the failure to implement reasonable and appropriate security measures, and asserted claims of negligence, negligence per se, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty.

Regional Obstetrical Consultants deny all claims of wrongdoing and liability; however, to avoid the cost, time, and distraction of prolonged litigation and the uncertainty of trial, the decision was taken to settle the litigation. Under the terms of the settlement, class members may submit a claim for one of three benefits. A claim may be submitted for reimbursement of documented, unreimbursed, extraordinary losses up to a maximum of $7,500 per class member. Alternatively, a claim may be submitted for reimbursement of documented ordinary losses up to a maximum of $2,000 per class member, or a pro rata cash payment may be claimed, which is estimated to be $50 per class member, but may be higher or lower based on the number of claims received. The deadline for exclusion and objection is January 31, 2026. The deadline for submitting a claim is February 15, 2026. The final fairness hearing has been scheduled for March 2, 2026.

Rocky Mountain Gastroenterology Associates Data Breach Settlement

Rocky Mountain Gastroenterology Associates has agreed to settle class action litigation over a data breach that was identified on September 13, 2024, involving unauthorized access to the electronic protected health information of 366,491 patients. Data compromised in the incident included names, addresses, dates of birth, patient account numbers, medical record numbers, Social Security numbers, health insurance identification numbers, and health information such as diagnoses and treatment information.

Notification letters started to be mailed to the affected individuals on November 13, 2024, and the first class action lawsuit was filed on December 19, 2024, by plaintiff David Davis. Further lawsuits were filed by other affected individuals. The lawsuits were consolidated – David Davis et al. v. Rocky Mountain Gastroenterology Associates PLLC – in the Colorado District Court for Jefferson County, as the lawsuits had overlapping claims. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, and for declaratory judgment. Rocky Mountain Gastroenterology Associates denies all claims of wrongdoing and liability.

Shortly after the consolidated class action lawsuit was filed, all parties began to explore the possibility of early resolution, and following mediation, the material terms of a settlement were agreed upon. The settlement has now been finalized and approved by the court. Under the terms of the settlement, class members are entitled to two years of complimentary credit monitoring and identity theft protection services, retailing at $14.95 per month. In addition, class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach. The reimbursement claims have been capped at $1,000 per class member. The deadline for submitting a claim is February 2, 2026.

The post Four Healthcare Providers Settle Class Action Lawsuits Over Data Breaches appeared first on The HIPAA Journal.