What is a HIPAA violation?

A HIPAA violation is a failure to comply with any of the standards set by the Privacy, Security, and Breach Notification Rules. There does not have to be a data breach for a HIPAA violation to occur, and penalties can be imposed for (for example) the failure to provide staff training, the failure to allow patients to review their PHI, and the failure to retain documents for the required time.

What constitutes a HIPAA violation?

The failure to develop and enforce HIPAA-compliant policies and procedures can also constitute a HIPAA violation. If there are no policies or procedures to guide staff on how to perform their roles compliantly, and a data breach subsequently occurs, Covered Entities will be sanctioned for the failure to develop policies and the failure to train staff on policies as well as for the data breach.

What are the consequences for violating HIPAA?

This depends on who violates HIPAA and how much harm results from the violation. If a violation occurs that “the Covered Entity was unaware of and could not have realistically avoided had a reasonable amount of care had been taken to comply with HIPAA” the consequences will be relatively minor. However, if a individual violates HIPAA contrary to the policies enforce by their employer, they could lose their job and spend up to ten years in jail.

What is the civil penalty for unknowingly violating HIPAA?

The civil penalty for unknowingly violating HIPAA is no different from the civil penalty for knowingly violating HIPAA because there is no justification for a Covered Entity – or an individual trained on a Covered Entities policies – to be unaware of the Rules. Each Covered Entity is required to appoint a HIPAA Privacy Officer and a HIPAA Security Officer, and it is these Officers´ responsibility to ensure every employee and business associate is aware of their HIPAA compliance obligations.

What Rule sets the penalties for violating HIPAA regulations?

The penalties for violating HIPAA regulations were first established in the HIPAA Enforcement Rule in 2006. Subsequent amendments were included in the HITECH Act (2009) and the Omnibus Final Rule (2013) and the current penalties for violating HIPAA regulations are codified under 45 CFR § 160.404 and 45 CFR Part 102 – The Adjustment of Civil Monetary Penalties for Inflation.

What is the penalty for noncompliance with HIPAA?

As mentioned in the above article, the most common penalties for noncompliance with HIPAA include enforced changes to privacy practices, corrective action, and technical assistance. Fewer than 1-in-2,500 complaints received by the Office for Civil Rights result in a monetary penalty for noncompliance with HIPAA.

What are the fines for HIPAA violations?

When the Office for Civil Rights issues a monetary penalty for noncompliance with HIPAA, fines for HIPAA violations can range between $100 per violation to $1.5 million per violation depending on factors such as the nature of the violation, the precautions put in place to prevent the violation, the Covered Entity´s previous compliance history, and the amount of cooperation provided by the Covered Entity during the Office for Civil Rights´ investigation.

What consequences are possible with a Tier 3 violation?

A single Tier 3 violation attributable to willful neglect can attract penalties of up to $63,973 if the reason for the violation is corrected within 30 days of being identified, or up to $1,919,173 if the reason for the violation is not corrected within 30 days of being identified.

What are the 3 types of HIPAA violations?

Although the 3 types of HIPAA violations are discussed above, they could be better described as 1) an organization has made reasonable efforts to comply with HIPAA, 2) the failing was attributable to lack of monitoring or oversight, and 3) the organization made little or no effort to comply with HIPAA despite knowing it had to.

What is considered a HIPAA violation?

This question was also previously discussed, but it is important to reiterate that any failure to comply with the applicable provisions of the Administrative Simplification provisions is considered a HIPAA violation – even if the compliance failure does not result in a data breach.

What are the types of penalties under HIPAA?

There are three types of penalties under HIPAA. Ignoring technical assistance (which is not a penalty), organizations may be required to comply with a Corrective Action Plan and/or required to pay a Civil Monetary Penalty/settlement. The CMS also has the authority to exclude a Covered Entity from participation in the Medicare program.

Can you be fined on a personal basis for HIPAA violations?

Yes. If an investigation into a HIPAA violation finds evidence of a criminal offense, the investigation is referred to the Department of Justice under §1320d-6 of the Social Security Act – “Wrongful Disclosure of Individually Identifiable Health Information”. If an individual is convicted of a criminal offense under this section of the Social Security Act, the Department of Justice can issue fines of up to $50,000 (reasonable cause), $100,000 (false pretenses), or $250,000 (personal gain/malicious intent) in addition to a custodial sentence.

What are the penalties for violating HIPAA that can be issued by the FTC?

The FTC can issue the same penalties for data breaches as HHS´ Office for Civil Rights. However, in September 2021 , the FTC warned vendors of personal health records and PHR-related entities that the failure to comply with the Breach Notification Rule could attract additional penalties of up to $43,792 per violation per day.

What is the most severe HIPAA violation tier?

The most severe HIPAA violation tier is Category 4 – will neglect of the HIPAA Rules with no correction within 30 days. Violations of this nature are the most common to be pursued by State Attorneys General; and, while there is no private right of action under HIPAA, several substantial settlements have been obtained in subsequent antitrust class actions.

What is the maximum criminal penalty that you could be subject to if you violate HIPAA?

The maximum criminal penalty you could be subject to if you violate HIPAA is a $250,000 fine and a custodial sentence of ten years. However, if the perpetrator is a healthcare professional, it is likely they will have their license to practice revoked; while, if the perpetrator is a health plan, it will likely lose its license to provide insurance services nationwide.

What is a HIPAA violation in the workplace?

Whereas most HIPAA violations are attributable to organizations failing to implement policies and procedures to comply with the Administrative Simplification provisions, the term “HIPAA violation in the workplace” usually refers to a member of the organization's workforce failing to comply with an organizational policy or procedure. In most cases, the penalty for a HIPAA violation in the workplace depends on the content of the organization´s HIPAA sanctions policy. However, if the violation is reported to a federal agency and it involves a potentially criminal offense, the penalty could be out of the organization´s hands and dependent on how the Department of Justice views the violation.

Can employees be fired for violating HIPAA?

Employees can be fired for violating HIPAA depending on the nature of the violation, the content of the employer´s sanctions policy, and the previous conduct of the employee. Serious violations of HIPAA – for example, posting patients´ PHI on social media without their authorization – is likely to get an employee fired for a first offense, but lesser violations – for example, disclosing more than the minimum necessary PHI in the workplace – will likely result in a verbal warning, or a written warning for a repeated violation.

What is the largest ever fine for a HIPAA violation?

The largest ever fine for a HIPAA violation occurred in 2018 when Anthem Inc. reached a settlement agreement with HHS´ Office for Civil Rights in the amount of $16 million in respect of a data breach that exposed the PHI of 78.8 million individuals. Subsequent civil actions brought by State Attorneys General and individuals impacted by the data breach resulted in further settlements of $39.5 million and $115 million respectively.

What happens to the money collected in HIPAA violation fines?

At present, the money collected in HIPAA violation fines and settlements by HHS´ Office for Civil Rights is paid into the U.S. Treasury General Fund. However, in 2022, HHS issued a Request for Information seeking comments on a yet-to-be-enacted clause of the HITECH Act that advocates “settlement sharing” with individuals who have experienced harm as a consequence of a HIPAA data breach.

Is it a HIPAA violation to email PHI to patients?

It is a HIPAA violation to email PHI to patients unless the patients have requested to receive PHI by email and have been warned of the consequences of communicating PHI over unsecure channels of communication. Both the patients´ requests and the warnings should be documented to respond to any future complaints if PHI sent in an email is corrupted or accessed without authorization during transit or once at rest on the recipients’ devices.

Can you be sanctioned for an accidental HIPAA violation?

You can be sanctioned for an accidental HIPAA violation because, with the exception of knowingly obtaining PHI for personal gain, neither the Privacy Rule nor the Security Rule distinguish between deliberate and accidental HIPAA violations. Therefore, a member of a Covered Entity´s workforce could be sanctioned for an accidental HIPAA violation – although this will depend on the content of a sanctions policy and how the policy is applied in each event.

Are lost medical records a HIPAA violation?

Lost medical records are a HIPAA violation because – even though they are lost – they are a “disclosure” not permitted by the Privacy Rule. Additionally, if the medical records were maintained electronically, losing the medical records demonstrates a lack of compliance with the Audit Control standard of the Security Rule. Because the medical records are lost, the HIPAA violation is a notifiable event under the Breach Notification Rule unless a Covered Entity or Business Associate can demonstrate “a low probability that PHI has been compromised”. As it is not possible to know whether PHI has been compromised or not, this exception does not apply.

Are HIPAA violations criminal?

Some HIPAA violations are criminals. although most are civil matters. A criminal HIPAA violation occurs when the violation is attributable to an individual knowingly obtaining or disclosing individually identifiable health information – usually for personal gain. In such cases, the violation may be referred by HHS´ Office for Civil Rights to the Department of Justice for a criminal investigation. If found guilty, the individual can be fined up to $250,000 and sentenced to up to ten years in jail.

Are penalties for HIPAA violations always due to data breaches?

Historically, penalties for HIPAA violations were most often due to data breaches. However, in recent years, HHS´ Office for Civil Rights has pursued enforcement action against Covered Entities that refuse patients´ requests to obtain a copy of PHI or an accounting of disclosures. Although the agency still issues penalties for HIPAA violations that result in data breaches, dozens of Covered Entities have been fined for patients´ rights violations.

How does HHS´ Office for Civil Rights find out about HIPAA violations?

HHS´ Office for Civil Rights most often finds out about HIPAA violations in two ways. The first is via the OCR Portal – an online service that can be used by individuals and workforce members to file complaints against a Covered Entity or Business Associate. The second way in which HHS´ Office for Civil Rights finds out about HIPAA violations is when a Covered Entity notifies the agency of an unauthorized disclosure of unsecured PHI.

If a common workplace practice violates HIPAA, what happens then?

There are a number of circumstances in which a common workplace practice may violate HIPAA, and the consequences of the violation depends on who is responsible for allowing the non-compliant workplace practice to exist or develop. Covered Entities and Business Associates are required to develop policies and procedures that comply with HIPAA and monitor compliance with them. If an organization fails to develop compliant policies and practices or fails to monitor compliance – due to which non-compliant workplace practices develop – the organization is violating HIPAA. However, if a common workplace practice develops that violates HIPAA, that workplace members have been told about, and that could not have been identified if monitored (for example, sharing passwords to EHR systems), each individual that engages in the non-compliant workplace practice is violating HIPAA and could be sanctioned when the non-compliance is identified.

Can businesses not covered by HIPAA be fined for HIPAA violations?

Some businesses not covered by HIPAA can be fined for HIPAA violations. For example, vendors of connected health apps that collect or use consumers´ health information are not covered by the HIPAA privacy or Security Rules, but are required to comply with the Breach Notification Rule. The FTC has previously fined businesses of this type that have failed to notify consumers when their unsecured data has been breached.

What role does CMS have in enforcing HIPAA compliance?

The Centers for Medicare and Medicaid Services (CMS) enforces the HIPAA Administrative Requirements relating to claims transactions (45 CFR Part 162). Although the CMS has never issued a fine for a HIPAA violation, it investigates complaints relating to claims transactions and can require Covered Entities and Business Associates to comply with a Corrective Action Plan.

Is it a HIPAA violation if medical information is sent to the wrong person?

It is a HIPAA violation if identifying medical information is sent to the wrong person because the recipient of the information is not authorized to receive the information and therefore the disclosure is not permitted by the Privacy Rule. Whether or not the violation is a notifiable event (to HHS and the subject of the information) depends on who received the information and the likelihood of the information being further disclosed.

Are all reports of HIPAA violations made to HHS´ Office for Civil Rights?

Although thousands of reports of HIPAA violations are made to HHS´ Office for Civil Rights every year, HIPAA violations can also be reported to the organization at which the violation occurred or to the State Attorneys General. However, if the violation resulted in a breach of unsecured PHI, the organization or State Attorney General must escalate the report to HHS´ Office for Civil Rights.

How long do you have to report a HIPAA violation?

How long you have to report a HIPAA violation depends on the nature of the violation. If you are filing a complaint about a HIPAA violation to HHS´ Office for Civil Rights, you have 180 days from the discovery of the violation to report it. Complaints made to Covered Entities and State Attorney Generals do not have the same time limitations, but both can decline to respond to a report or complaint if it is unreasonable to do so. HIPAA violations that result in impermissible disclosures of PHI or data breaches must be reported to affected individuals and HHS´ Office for Civil Rights within 60 days from the discovery of the violation. The exception to this rule is when a data breach affects fewer than 500 individuals, in which case reports to HHS´ Office for Civil Rights can be delayed until the end of the year (individuals still have to be notified within 60 days).

HIPAA Violation Penalties

HIPAA violation penalties include civil monetary penalties assessed by the HHS Office for Civil Rights under a four-tier framework with inflation-adjusted per-violation amounts and calendar-year caps for identical violations, as well as separate criminal penalties that may apply to certain knowing conduct involving individually identifiable health information.

Civil monetary penalties apply when the HHS Office for Civil Rights determines that a HIPAA Covered Entity or Business Associate failed to comply with an administrative simplification requirement, including obligations under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. The tier assigned depends on the level of culpability, ranging from lack of knowledge despite reasonable diligence through willful neglect that remains uncorrected after the allowed correction period. The number of violations and how the agency groups violations as identical requirements or prohibitions influence the final penalty amount.

For penalties assessed on or after January 28, 2026, the inflation-adjusted civil monetary penalty minimums are $145 per violation for Tier 1, $1,461 per violation for Tier 2, $14,602 per violation for Tier 3, and $73,011 per violation for Tier 4. The maximum penalty per violation is $73,011 for Tiers 1 through 3. The Tier 4 maximum penalty per violation is $2,190,294. The published annual limit for identical violations within a calendar year is $2,190,294.

The HHS Office for Civil Rights has also applied a 2019 enforcement discretion approach related to annual penalty limits for Tiers 1 through 3 based on its interpretation of the HITECH Act penalty caps. Under that approach, the agency applies lower annual caps for identical violations in Tiers 1 through 3 while retaining the higher annual cap for Tier 4. Using the inflation-adjusted figures associated with that approach for 2026, the annual cap is $36,505.50 for Tier 1, $146,053 for Tier 2, $365,052 for Tier 3, and $2,190,294 for Tier 4. These annual caps affect total exposure when multiple violations of the same requirement occur within the same calendar year, including situations where a per-violation maximum exceeds the annual cap.

Penalty determination also considers case-specific factors described in HIPAA enforcement. The HHS Office for Civil Rights evaluates the nature and extent of the violation, the nature and extent of harm, and the entity’s compliance history and response posture. These factors interact with corrective action timing, documented risk analysis and risk management under the HIPAA Security Rule, and the presence or absence of policies, online HIPAA training, audit controls, and incident response procedures. A provider or Business Associate that discovers an issue and implements verifiable remediation can still face penalties, but corrective action influences the agency’s resolution strategy and penalty calculations.

Civil monetary penalties are one enforcement outcome, not the only enforcement outcome. Many matters resolve through settlement agreements or other resolution terms that include a payment and a corrective action plan. These resolutions can impose multi-year obligations such as policy updates, workforce training, risk analysis updates, regular reporting, and monitoring of safeguards. A corrective action plan can require operational changes such as access control improvements, audit log review procedures, encryption controls aligned with risk analysis decisions, and tightened procedures for workforce access and disclosures.

Criminal penalties are separate from civil enforcement and apply to certain knowing misconduct involving individually identifiable health information. Criminal cases can involve a person knowingly obtaining or disclosing individually identifiable health information in violation of law, with higher penalty levels when conduct involves false pretenses or intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm. Criminal enforcement can include fines and imprisonment and follows criminal justice processes rather than administrative investigation procedures.

HIPAA enforcement can also involve state-level action. State attorneys general have authority to bring civil actions on behalf of residents for certain HIPAA violations and to seek relief authorized by law. This enforcement channel can proceed independently from federal administrative enforcement and can increase exposure for organizations with multi-state operations or large incident footprints.

Organizations should also account for non-penalty impacts that follow a HIPAA violation finding or resolution. Corrective action obligations consume compliance resources, increase audit and monitoring requirements, and require sustained documentation and leadership oversight. Operational disruption can occur during system containment, restoration, and control redesign after security incidents involving electronic protected health information, and those operational impacts occur alongside regulatory outcomes.

HIPAA violation penalties therefore include tiered civil monetary penalties with inflation-adjusted ranges and annual caps, potential criminal penalties for certain knowing conduct, and enforcement resolutions that frequently impose ongoing compliance obligations beyond a payment.

HIPAA Violation Penalties

James Keogh