HIPAA Violation Penalties

HIPAA violation penalties are the consequences of a Covered Entity, Business Associate, or PHR vendor failing to comply – when applicable – with the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act.  

In 1996, the Health Insurance Portability and Accountability Act (HIPAA) paved the way for the development of the Administrative Simplification provisions. The Administrative Simplification provisions have the objectives of:

  • Making the administration of health care claims more efficient,
  • Protecting the privacy of individually identifiable health information,
  • Giving patients´ rights over access to, and uses of, their health information,
  • Safeguarding the confidentiality, integrity, and availability of electronic health information, and
  • Ensuring the timely notification of data breaches to affected individuals and HHS´ Office for Civil Rights.

Additionally, the Administrative Simplification provisions detail what constitutes a HIPAA violation, the process for HIPAA violation reporting, the HIPAA violation categories, and – when an organization is found not to be in compliance with HIPAA – the HIPAA violation penalties.

What Constitutes a HIPAA Law Violation?

A HIPAA law violation is the failure to comply with any applicable standard in the Administrative Simplification provisions regardless of whether the violation results in a data breach or not. For example, the failure to respond to a patient access request constitutes a HIPAA law violation in which no data breach has occurred.

However, not every organization has to comply with every HIPAA law. While Covered Entities are required to comply with all the Administrative Simplification provisions, Business Associates may only be required to comply with parts of the Administrative Requirements and the Privacy Rule (depending on the service being provided), along with all the Security Rule and Breach Notification Rule.

Additionally, while it is advisable for vendors of Personal Health Records (PHRs) to implement measures to safeguard electronic PHI if it is “managed, shared or controlled for the individual”, PHR vendors, PHR-related entities, and service providers to PHR vendors/related entities are only required to comply with the Breach Notification Rule.

HIPAA Violation Examples

The failure to comply with transaction standards, operating rules, or code sets.

Impermissible uses and disclosures of Protected Health Information (PHI).

The failure to respond to patient access, correction, and data transfer requests.

The failure to implement measures to safeguard electronic PHI.

The failure to notify a breach of unsecured PHI within the appropriate time.

The Process for HIPAA Violation Reporting

The process for HIPAA violation reporting varies according to the nature of the HIPAA violation. With regards to the HIPAA violation examples provided above:

  • The failure to comply with transaction standards, operating rules, or code sets should be reported to the Centers for Medicare and Medicaid (CMS) via the ASETT portal.
  • Impermissible uses and disclosures, the failure to respond to patients´ requests, and the failure to implement security measures should be reported to HHS´ Office for Civil Rights.
  • Additionally, affected individuals can report HIPAA violations of the above nature to the Covered Entity or Business Associate responsible for the violation, or their State Attorney General.
  • Reports relating to the failure to notify a breach should be made to HHS´ Office for Civil Rights if the organization is a Covered Entity or Business Associate, or the Federal Trade Commission (FTC) if the organization is a PHR vendor, PHR-related entity, or service provider to a PHR.

Regardless of the agency to whom a report is made, the process post-HIPAA violation reporting is much the same. Reports are reviewed to ensure they meet the criteria of timeliness and relevance (i.e., that they actually violate a HIPAA Rule), and that they have been reported to the correct agency. Reports submitted to the wrong agency are not forwarded. They are rejected.

Once a report of a HIPAA violation is accepted, the agency notifies the complainant and the organization and requests information about the alleged violation to conduct an investigation. If a violation is confirmed, the agency will attempt to resolve the case by voluntary compliance or technical assistance if required. If this is not possible, there may be more serious consequences.

HIPAA Violation Consequences

When a serious HIPAA violation is identified, the agencies can impose a Corrective Action Plan requiring organizations to adopt HIPAA-compliant policies and procedures and demonstrate proof of compliance. Although not a HIPAA violation fine, compliance with a Corrective Action Plan can cost organizations money due to changing procedures and disrupting business operations.

There is also an argument that, when healthcare providers are required to comply with a Corrective Action Plan, it affects the delivery of patient care. Although the study on which this argument is based demonstrates a negligible deterioration in patient care, each healthcare provider is different, and a complex Corrective Action Plan could have more serious HIPAA violation consequences.

HIPAA Violation Fines

In the most serious cases, CMS, HHS´ Office for Civil Rights, and the FTC have the authority to issue Civil Monetary Penalties (HIPAA violation fines). Penalty amounts vary according to which of the HIPAA violation categories the violation relates to, the efforts made to correct – or contain the consequences of – the violation, and the assistance provided during the investigation.

Other factors that may increase or decrease the amount of HIPAA violation fines include the length of time a violation was allowed to continue, the organization´s prior record of compliance, and – in the event of a data breach – the number of records exposed and whether the data breach has caused physical or financial harm or affected individual´s access to healthcare.

Recent Penalties for HIPAA Violations

It is important for organizations to be aware that penalties for HIPAA violations are not only attributable to data breaches. Many recent penalties for HIPAA violations relate to the failure to respond to patient access, correction, and data transfer requests in a timely manner – HHS´ Office for Civil Rights clearly sending a message that this type of violation will not be tolerated.

HIPAA Right of Access Case Breach Settlement of $30K for NJ Plastic Surgery Clinic

OCR Sanctions $1M HIPAA Fine on Lifespan for Lack of Encryption

$25,000 Settlement for HIPAA Security Rule Noncompliance

Korunda Medical fined $85,000 Penalty for HIPAA Right of Access Failures

$2.15 Million Civil Monetary Penalty for Multiple HIPAA Violations

Premera Blue Cross Settles Multi-State Action Lawsuit for $10 Million

HIPAA Violation Settlement Amounts

Although the term HIPAA violation fines is used to describe both Civil Monetary Penalties and HIPAA violation settlements, there is a distinction between the two. This is because one of the factors in determining the amount of a HIPAA violation fine is the organization´s “financial condition”. Clause §160.408 of the Administrative Simplification provisions states agencies should consider:

“Whether the imposition of a civil money penalty would jeopardize the ability of the Covered Entity or Business Associate to continue to provide, or to pay for, health care.”

Because of this clause, there are circumstances when two organizations can be found non-compliant with the same provision(s) of HIPAA – and the consequences of the non-compliance are the same – yet the HIPAA violation settlement amount for each is different. In some cases, the fines could be the absolute minimum and absolute maximum of the same HIPAA violation category.

HIPAA Violation Categories

When the HIPAA Enforcement Rule was published in 2005, agencies could only pursue enforcement action if it could be proved an individual had suffered harm due to the willful neglect of a Covered Entity. The Breach Notification Rule of 2009 amended the Enforcement Rule so that all organizations had to report data breaches unless it could be proved no harm had occurred.

Also in 2009, the HITECH Act introduced new HIPAA violation categories. The categories are based on the organization´s level of culpability and the efforts made by the organization to correct the violation once it is identified. The full description of the four HIPAA violation categories summarized below can be found in §160.404 of the Administrative Simplification provisions:

  • Category 1: A violation that the organization was unaware of and could not have realistically avoided had a reasonable amount of care had been taken to comply with HIPAA.
  • Category 2: A violation of HIPAA that the organization should have been aware of but could not have avoided even with a reasonable amount of care.
  • Category 3: A violation directly due to “willful neglect” of the HIPAA Rules, in cases where an attempt has been made to correct the violation.
  • Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days.

The HIPAA Violation Penalty Structure

While the HIPAA violation categories listed above determine culpability, the actual amount of a Civil Monetary Penalty or settlement falls within minimum and maximum limits allowed per category. These limits were originally established in the HITECH Act and have subsequently been amended to account for inflation.

Penalty Category Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit (2022)
1 Lack of Knowledge $127 $63,973 $1,919,173
2 Reasonable Cause $1,280 $63,973 $1,919,173
3 Willful Neglect $12,794 $63,973 $1,919,173
4 Willful Neglect not Corrected within 30 days $63,973 $1,919,173 $1,919,173

The HIPAA Violation Tiers Revised

In 2019, the Department of Health and Human Services re-examined the text of the HITECH Act and determined that the language had been misinterpreted. It was determined the maximum penalty limit should be revised for three of the four HIPAA violation tiers, with the annual limits being reset to those originally stipulated by the HITECH Act and then amended to account for inflation.

The consequence was that the annual penalty limit for Category 1 penalties is now less than the maximum penalty per Category 1 violation. This anomaly is expected to be addressed in future rulemaking, but – from 17 March 2022 – the following limits are being applied to HIPAA violation penalties via an indefinite notice of enforcement discretion.

Penalty Category Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit (2022)
1 Lack of Knowledge $127 $63,973 $30,487
2 Reasonable Cause $1,280 $63,973 $121,946
3 Willful Neglect $12,794 $63,973 $304,865
4 Willful Neglect not Corrected within 30 days $63,973 $1,919,173 $1,919,173

Attorney Generals and HIPAA

The HITECH Act also gave State Attorneys General the power to hold organizations accountable for violations of HIPAA when PHI of state residents is exposed in a data breach. State Attorneys General can issue fines for HIPAA violations of up to $25,000 in addition to the HIPAA violation penalties imposed by federal agencies and file civil actions against the organization with federal District Courts.

At present only the states of Connecticut, Massachusetts, Indiana, Vermont, and Minnesota have exercised the right to hold organizations accountable for violations of HIPAA. However, since State Attorneys General offices can retain a percentage of the penalties collected, more attorneys general may decide to issue fines for HIPAA violations in the future.

HIPAA Criminal Penalties

When individuals are responsible for the theft, loss, or unauthorized disclosure of PHI, the most common consequence is the loss of employment. However, in the most serious HIPAA violations, criminal charges can be filed against the individual(s) responsible.

Criminal penalties for HIPAA violations are divided into tiers and several factors are considered which will affect the criminal penalty. If an individual has profited from the theft, loss, or unauthorized disclosure of PHI, it may be necessary for all moneys received to be refunded in addition to the payment of a fine and/or jail time. The tiers for HIPAA criminal penalties are:

  • Tier 1: Reasonable cause or no knowledge of violation – Up to 1 year in jail
  • Tier 2: Obtaining PHI under false pretenses – Up to 5 years in jail
  • Tier 3: Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail

State Attorneys General are cracking down on data theft and are keen to make examples out of individuals found to have violated HIPAA Privacy Rules. A jail term for the theft of HIPAA data is therefore highly likely, as this is a strong signal to those tempted by the potential financial gains. HIPAAJournal.com maintains a list of jail terms for HIPAA violations by employees.

Unknowing Violation of HIPAA

Ignorance of the HIPAA Rules is not regarded as a justifiable defense when an organization is investigated for violating HIPAA. An example of this occurred in 2017 when the remote cardiac monitoring service CardioNet was fined $2.5 million for failing to fully understand the HIPAA requirements and subsequently failing to conduct a complete risk assessment.

Because of the incomplete risk assessment, the unsecured PHI of 1,391 individuals was potentially disclosed as the result of an employee error. A laptop containing the data was stolen from a car parked outside the employee´s home. Office for Civil Rights Director Roger Severino described this incident as a case of unknowingly violating HIPAA by disregarding security and not safeguarding the information properly.

HIPAA Compliance Audits and Penalties for HIPAA Violations

If the Office for Civil Rights conducts a HIPAA compliance audit, and a Covered Entity or Business Associate is found not to be in compliance with HIPAA, the Office for Civil Rights has the authority to issue penalties for HIPAA violations even if there has been no breach of unsecured PHI or no complaint.

The first phase of HIPAA compliance audits was conducted in 2011/2012 and revealed many Covered Entities were struggling with compliance. The Office for Civil Rights provided technical assistance to help correct areas of noncompliance and no penalties for HIPAA violations were issued at the time. They were given several years to improve their performance before another audit was scheduled.

The audits discovered that the biggest area of noncompliance was the failure to conduct a comprehensive, organization-wide risk assessment. Risk assessments are critical to a Covered Entity´s compliance efforts. If a risk assessment is not conducted, a Covered Entity will be unaware of any vulnerabilities that pose a risk to the confidentiality, integrity, and availability of PHI.

The failure to complete Business Associate Agreements (BAAs) with third-party service providers can also result in penalties for HIPAA noncompliance. In September 2016, the Care New England Health System was fined $400,000 for HIPAA noncompliance that included the failure to revise a BAA originally signed in March 2005.

HIPAA Violation Penalties: FAQs

What is a HIPAA violation?

A HIPAA violation is a failure to comply with any applicable provisions in the Administrative Simplification provisions. There does not have to be a data breach for a HIPAA violation to occur, and penalties can be imposed for (for example) the failure to provide staff training, the failure to allow patients access to PHI, and the failure to retain documents for the required time.

What constitutes a HIPAA violation?

The failure to develop and enforce HIPAA-compliant policies and procedures can also constitute a HIPAA violation. If there are no policies or procedures to guide staff on how to perform their roles compliantly, and a data breach subsequently occurs, organizations can be sanctioned for the failure to develop policies and the failure to train staff on policies as well as for the data breach.

What are the consequences for violating HIPAA?

This depends on the nature of the violation and how much harm results from the violation. If a violation occurs that “the Covered Entity was unaware of and could not have realistically avoided had a reasonable amount of care had been taken to comply with HIPAA” the consequences will be relatively minor. However, if a individual violates HIPAA contrary to the policies enforced by their employer, they could lose their job and spend up to ten years in jail.

What is the civil penalty for unknowingly violating HIPAA?

The civil penalty for unknowingly violating HIPAA is no different from the civil penalty for knowingly violating HIPAA because there is no justification for a Covered Entity – or an individual trained on a Covered Entities policies – to be unaware of the Rules. Each Covered Entity is required to appoint a HIPAA Privacy Officer and a HIPAA Security Officer, and it is these Officers´ responsibility to ensure every employee and Business Associate is aware of their HIPAA compliance obligations.

What Rule sets the penalties for violating HIPAA regulations?

The penalties for violating HIPAA regulations were first established in the HIPAA Enforcement Rule in 2005. Subsequent amendments were included in the HITECH Act (2009) and the Omnibus Final Rule (2013) and the current penalties for violating HIPAA regulations are codified under 45 CFR § 160.404 and 45 CFR Part 102 – The Adjustment of Civil Monetary Penalties for Inflation.

What is the penalty for noncompliance with HIPAA?

As mentioned in the above article, the most common penalties for noncompliance with HIPAA include enforced changes to privacy practices, corrective action, and technical assistance. Fewer than 1-in-2,500 complaints received by the Office for Civil Rights result in a Civil Monetary Penalty for noncompliance with HIPAA.

What are the fines for HIPAA violations?

When a federal enforcement agency issues a Civil Monetary Penalty for noncompliance with HIPAA, fines for HIPAA violations currently range between $127 per violation and $1,919,173 per violation depending on factors such as the nature of the violation, the precautions put in place to prevent the violation, the organization´s previous compliance history, and the amount of cooperation provided by the organization during an agency´s investigation.

What consequences are possible with a Tier 3 violation?

A single Tier 3 violation attributable to willful neglect can attract penalties of up to $63,973 if the reason for the violation is corrected within 30 days of being identified, or up to $1,919,173 if the reason for the violation is not corrected within 30 days of being identified.

What are the 3 types of HIPAA violations?

Although the 3 types of HIPAA violations are discussed above, they could be better described as 1) an organization has made reasonable efforts to comply with HIPAA, 2) the failing was attributable to lack of monitoring or oversight, and 3) the organization made little or no effort to comply with HIPAA despite knowing it had to.

What is considered a HIPAA violation?

This question was also previously discussed, but it is important to reiterate that any failure to comply with the applicable provisions of the Administrative Simplification provisions is considered a HIPAA violation – even if the compliance failure does not result in a data breach.

What are the types of penalties under HIPAA?

There are three types of penalties under HIPAA. Ignoring technical assistance (which is not a penalty), organizations may be required to comply with a Corrective Action Plan and/or required to pay a Civil Monetary Penalty/settlement. The CMS also has the authority to exclude a Covered Entity from participation in the Medicare program.

Can you be fined on a personal basis for HIPAA violations?

Yes. If an investigation into a HIPAA violation finds evidence of a criminal offense, the investigation is referred to the Department of Justice under §1320d-6 of the Social Security Act – “Wrongful Disclosure of Individually Identifiable Health Information”.

If an individual is convicted of a criminal offense under this section of the Social Security Act, the Department of Justice can issue fines of up to $50,000 (reasonable cause), $100,000 (false pretenses), or $250,000 (personal gain/malicious intent) in addition to a custodial sentence.

What are the penalties for violating HIPAA that can be issued by the FTC?

The FTC can issue the same penalties for data breaches as HHS´ Office for Civil Rights. However, in September 2021, the FTC warned vendors of personal health records and PHR-related entities that the failure to comply with the Breach Notification Rule could attract additional penalties of up to $43,792 per violation per day.

What is the most severe HIPAA violation tier?

The most severe HIPAA violation tier is Category 4 – will neglect of the HIPAA Rules with no correction within 30 days. Violations of this nature are the most common to be pursued by State Attorneys General; and, while there is no private right of action under HIPAA, several substantial settlements have been obtained in subsequent antitrust class actions.

What is the maximum criminal penalty that you could be subject to if you violate HIPAA?

The maximum criminal penalty you could be subject to if you violate HIPAA is a $250,000 fine and a custodial sentence of ten years. However, if the perpetrator is a healthcare professional, it is likely they will have their license to practice revoked; while, if the perpetrator is a health plan, it will likely lose its license to provide insurance services nationwide.

What is a HIPAA violation in the workplace?

Whereas most HIPAA violations are attributable to organizations failing to implement policies and procedures to comply with the Administrative Simplification provisions, the term “HIPAA violation in the workplace” usually refers to a member of the organization’s workforce failing to comply with an organizational policy or procedure.

In most cases, the penalty for a HIPAA violation in the workplace depends on the content of the organization´s HIPAA sanctions policy. However, if the violation is reported to a federal agency and it involves a potentially criminal offense, the penalty could be out of the organization´s hands and dependent on how the Department of Justice views the violation.