What are HIPAA Civil Penalties?


What are the civil penalties for knowingly breaching HIPAA laws? What is the highest possible financial penalty for a HIPAA violation and when are fines applied? In this post we address these questions and explain about the penalties for violating HIPAA legislation.

The Health Insurance Portability and Accountability Act (HIPAA) is federal legislation the polices healthcare organizations and healthcare employees so that they create policies and procedures to protect the privacy of patients. They are legally obligate to put in place safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). HIPAA places restrictions on the uses of health data, who can be supplied with copies of health information, and puts in place the right to obtain copies of their health data.

HIPAA covered entities are normally healthcare providers, health plans, and healthcare clearinghouses. HIPAA also applies to vendors and suppliers (business associates) that require access to PHI to perform their stated duties.

As with other federal legislation, there are penalties for noncompliance. The financial penalties for HIPAA violations can be major, especially when HIPAA has been “knowingly” violated – When HIPAA Rules have been consciously breached on purpose.

The civil penalty tier system for healthcare HIPAA entities is calculated using the extent to which the HIPAA covered entity was aware that HIPAA Rules were broken. The highest possible fine for knowingly violating HIPAA is $50,000 per violation up to a maximum of $1.5 million per violation category annually.

Civil penalties will be calculated using the nature and extent of the violation, the number of people impacted, the harm that has been caused to those individuals, and the level of blame apportioned.

As with healthcare HIPAA entities, healthcare workers can also have fines sanctioned against them for violating HIPAA Rules. Civil penalties can be issued to any person who is discovered to have violated HIPAA Rules. The Office for Civil Rights can sanction a penalty of $100 per violation of HIPAA when an employee was unaware that he/she was violating HIPAA Rules up to a maximum of $25,000 for repeat offences.

In violation that have reasonable cause, the fine jumps to $1,000 per breach with a maximum of $100,000 for repeat violations, for willful neglect of HIPAA Rules where the violation was addressed the fine is $10,000 and up to $250,000 for repeat violations and willful neglect with no correction results in a penalty of $50,000 per violation and up to $1.5 million for repeat offences.

The Office for Civil Rights enforces HIPAA Rules in tandem with the Department of Justice and will refer cases of potential criminal violations of HIPAA Rules to the DoJ. Directors, officers, and employees may be deemed to be criminally responsible for violations of HIPAA Rules under the principle of corporate criminal liability, and if not directly liable, could be punished in relation to aiding and abetting or conspiracy.

The penalty tiers are calculated based on the extent to which an employee was aware that HIPAA Rules were broken. At the lowest level of the scale, a violation of HIPAA Rules could attract a maximum penalty of $50,000 and/or up to one year in jail.

If HIPAA Rules are broken under false pretenses the highest possible fine jumps to $100,000 and/or up to five years in jail. The maximum civil penalty for knowingly breaking HIPAA Rules is $250,000, such as when healthcare information is illegally taken with the intent to sell, transfer, or use for personal gain, commercial advantage, or malicious harm. In addition to a fine, the longest jail term is 10 years.

Along with the punishment provided, aggravated identity theft results in  a prison term of 2 years. When PHI has been stolen and patients have been defrauded, restitution may also need to be handed over.