Covered entities now have less to fear from the HHS Office for Civil Rights (OCR) if they run afoul of the HIPAA privacy and security regulations. OCR has slashed the maximum fines it will levy for most types of culpability, according to an HHS enforcement notice announced April 26. Effective immediately, covered entities can be fined $1.5 million only for violations that are described as “willful neglect, not corrected.” HHS didn’t revise the per-violation fines, however, minimum or maximum.

Until now, covered entities faced the identical annual cap, $1.5 million, for repeated instances of the same HIPAA violations regardless of their level of culpability, under the Health Information Technology for Economic and Clinical Health (HITECH) Act. Although per-violation fines vary—$100 to $50,000 per violation for a culpability level of “no knowledge”; $1,000 to $50,000 per violation for a culpability level of “reasonable cause”; $10,000 to $50,000 for “willful neglect, corrected”; and $50,000 for “willful neglect, uncorrected”—they all hit the same ceiling.