“The final rules, effective on March 26, 2013, not only provide direct liability for business associates and their subcontractors, but also include increased liability for noncompliance. The final rules move HIPAA enforcement away from the previous voluntary compliance framework and toward a penalty-based system. The tiered penalty structure has penalties ranging from $100 to $50,000 per violation, depending on the level of culpability, with a $1.5 million cap per calendar year for multiple violations of identical provisions, and criminal penalties of up to 10 years’ imprisonment. Willful neglect is at the top of the scale, and even where there is merely a possibility of a violation due to willful neglect, HHS can impose civil monetary penalties without exhausting informal resolution options.”