The provisions of section 1320a–7a of this title (other than subsections (a) and (b) and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subsection in the same manner as such provisions apply to the imposition of a penalty under such section 1320a–7a of this title.
No penalty may be imposed under subsection (a) and no damages obtained under subsection (d) with respect to an act if a penalty has been imposed under section 1320d–6 of this title with respect to such act.
Except as provided in subparagraph (B) or subsection (a)(1)(C), no penalty may be imposed under subsection (a) and no damages obtained under subsection (d) if the failure to comply is corrected during the 30-day period beginning on the first date the person liable for the penalty or damages knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.
In the case of a failure to comply which is due to reasonable cause and not to willful neglect, any penalty under subsection (a) and any damages under subsection (d) that is  not entirely waived under paragraph (3)  may be waived to the extent that the payment of such penalty  would be excessive relative to the compliance failure involved.
For purposes of paragraph (1)(B), the amount determined under this paragraph is the amount calculated by multiplying the number of violations by up to $100. For purposes of the preceding sentence, in the case of a continuing violation, the number of violations shall be determined consistent with the HIPAA privacy regulations (as defined in section 1320d–9(b)(3) of this title) for violations of subsection (a).
Nothing in this section shall be construed as preventing the Office for Civil Rights of the Department of Health and Human Services from continuing, in its discretion, to use corrective action without a penalty in cases where the person did not know (and by exercising reasonable diligence would not have known) of the violation involved.