§160.408 Factors considered in determining the amount of a civil money penalty.
In determining the amount of any civil money penalty, the Secretary will consider the following factors, which may be mitigating or aggravating as appropriate:
(a) The nature and extent of the violation, consideration of which may include but is not limited to:
(1) The number of individuals affected; and
(2) The time period during which the violation occurred;
(b) The nature and extent of the harm resulting from the violation, consideration of which may include but is not limited to:
(1) Whether the violation caused physical harm;
(2) Whether the violation resulted in financial harm;
(3) Whether the violation resulted in harm to an individual's reputation; and
(4) Whether the violation hindered an individual's ability to obtain health care;
(c) The history of prior compliance with the administrative simplification provisions, including violations, by the covered entity or business associate, consideration of which may include but is not limited to:
(1) Whether the current violation is the same or similar to previous indications of noncompliance;
(2) Whether and to what extent the covered entity or business associate has attempted to correct previous indications of noncompliance;
(3) How the covered entity or business associate has responded to technical assistance from the Secretary provided in the context of a compliance effort; and
(4) How the covered entity or business associate has responded to prior complaints;
(d) The financial condition of the covered entity or business associate, consideration of which may include but is not limited to:
(1) Whether the covered entity or business associate had financial difficulties that affected its ability to comply;
(2) Whether the imposition of a civil money penalty would jeopardize the ability of the covered entity or business associate to continue to provide, or to pay for, health care; and
(3) The size of the covered entity or business associate; and
(e) Such other matters as justice may require.
Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.