HIPAA violation penalties are the consequences of a Covered Entity, Business Associate, or PHR vendor failing to comply – when applicable – with the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act.
In 1996, the Health Insurance Portability and Accountability Act (HIPAA) paved the way for the development of the Administrative Simplification provisions. The Administrative Simplification provisions have the objectives of:
- Making the administration of health care claims more efficient,
- Protecting the privacy of individually identifiable health information,
- Giving patients´ rights over access to, and uses of, their health information,
- Safeguarding the confidentiality, integrity, and availability of electronic health information, and
- Ensuring the timely notification of data breaches to affected individuals and HHS´ Office for Civil Rights.
Additionally, the Administrative Simplification provisions detail what constitutes a HIPAA violation, the process for HIPAA violation reporting, the HIPAA violation categories, and – when an organization is found not to be in compliance with HIPAA – the HIPAA violation penalties.
What Constitutes a HIPAA Law Violation?
A HIPAA law violation is the failure to comply with any applicable standard in the Administrative Simplification provisions regardless of whether the violation results in a data breach or not. For example, the failure to respond to a patient access request constitutes a HIPAA law violation in which no data breach has occurred.
However, not every organization has to comply with every HIPAA law. While Covered Entities are required to comply with all the Administrative Simplification provisions, Business Associates may only be required to comply with parts of the Administrative Requirements and the Privacy Rule (depending on the service being provided), along with all the Security Rule and Breach Notification Rule.
Additionally, while it is advisable for vendors of Personal Health Records (PHRs) to implement measures to safeguard electronic PHI if it is “managed, shared or controlled for the individual”, PHR vendors, PHR-related entities, and service providers to PHR vendors/related entities are only required to comply with the Breach Notification Rule.
HIPAA Violation Examples
The failure to comply with transaction standards, operating rules, or code sets.
Impermissible uses and disclosures of Protected Health Information (PHI).
The failure to respond to patient access, correction, and data transfer requests.
The failure to implement measures to safeguard electronic PHI.
The failure to notify a breach of unsecured PHI within the appropriate time.
The Process for HIPAA Violation Reporting
The process for HIPAA violation reporting varies according to the nature of the HIPAA violation. With regards to the HIPAA violation examples provided above:
- The failure to comply with transaction standards, operating rules, or code sets should be reported to the Centers for Medicare and Medicaid (CMS) via the ASETT portal.
- Impermissible uses and disclosures, the failure to respond to patients´ requests, and the failure to implement security measures should be reported to HHS´ Office for Civil Rights.
- Additionally, affected individuals can report HIPAA violations of the above nature to the Covered Entity or Business Associate responsible for the violation, or their State Attorney General.
- Reports relating to the failure to notify a breach should be made to HHS´ Office for Civil Rights if the organization is a Covered Entity or Business Associate, or the Federal Trade Commission (FTC) if the organization is a PHR vendor, PHR-related entity, or service provider to a PHR.
Regardless of the agency to whom a report is made, the process post-HIPAA violation reporting is much the same. Alleged HIPAA violation cases are reviewed to ensure they meet the criteria of timeliness and relevance (i.e., that they actually violate a HIPAA Rule), and that they have been reported to the correct agency. Reports submitted to the wrong agency are not forwarded. They are rejected.
Once a report of a HIPAA violation is accepted, the agency notifies the complainant and the organization and requests information about the alleged violation to conduct an investigation. If a violation is confirmed, the agency will attempt to resolve the case by voluntary compliance or technical assistance if required. If this is not possible, there may be more serious consequences.
HIPAA Violation Consequences
When a serious HIPAA violation is identified, the agencies can impose a Corrective Action Plan requiring organizations to adopt HIPAA-compliant policies and procedures and demonstrate proof of compliance. Although not a HIPAA violation fine, compliance with a Corrective Action Plan can cost organizations money due to changing procedures and disrupting business operations.
There is also an argument that, when healthcare providers are required to comply with a Corrective Action Plan, it affects the delivery of patient care. Although the study on which this argument is based demonstrates a negligible deterioration in patient care, each healthcare provider is different, and a complex Corrective Action Plan could have more serious HIPAA violation consequences.
HIPAA Violation Fines
In the most serious cases, CMS, HHS´ Office for Civil Rights, and the FTC have the authority to issue Civil Monetary Penalties (HIPAA violation fines). Penalty amounts vary according to which of the HIPAA violation categories the violation relates to, the efforts made to correct – or contain the consequences of – the violation, and the assistance provided during the investigation.
Other factors that may increase or decrease the amount of HIPAA violation fines include the length of time a violation was allowed to continue, the organization´s prior record of compliance, and – in the event of a data breach – the number of records exposed and whether the data breach has caused physical or financial harm or affected individual´s access to healthcare.
Recent Penalties for HIPAA Violations
It is important for organizations to be aware that penalties for HIPAA violations are not only attributable to data breaches. Many recent penalties for HIPAA violations relate to the failure to respond to patient access, correction, and data transfer requests in a timely manner – HHS´ Office for Civil Rights clearly sending a message that this type of violation will not be tolerated.
HIPAA Right of Access Case Breach Settlement of $30K for NJ Plastic Surgery Clinic
OCR Sanctions $1M HIPAA Fine on Lifespan for Lack of Encryption
$25,000 Settlement for HIPAA Security Rule Noncompliance
Korunda Medical fined $85,000 Penalty for HIPAA Right of Access Failures
$2.15 Million Civil Monetary Penalty for Multiple HIPAA Violations
Premera Blue Cross Settles Multi-State Action Lawsuit for $10 Million
HIPAA Violation Settlement Amounts
Although the term HIPAA violation fines is used to describe both Civil Monetary Penalties and HIPAA violation settlements, there is a distinction between the two. This is because one of the factors in determining the amount of a HIPAA violation fine is the organization´s “financial condition”. Clause §160.408 of the Administrative Simplification provisions states agencies should consider:
“Whether the imposition of a civil money penalty would jeopardize the ability of the Covered Entity or Business Associate to continue to provide, or to pay for, health care.”
Because of this clause, there are circumstances when two organizations can be found non-compliant with the same provision(s) of HIPAA – and the consequences of the non-compliance are the same – yet the HIPAA violation settlement amount for each is different. In some cases, the fines could be the absolute minimum and absolute maximum of the same HIPAA violation category.
HIPAA Violation Categories
When the HIPAA Enforcement Rule was published in 2005, agencies could only pursue enforcement action if it could be proved an individual had suffered harm due to the willful neglect of a Covered Entity. The Breach Notification Rule of 2009 amended the Enforcement Rule so that all organizations had to report data breaches unless it could be proved no harm had occurred.
Also in 2009, the HITECH Act introduced new HIPAA violation categories. The categories are based on the organization´s level of culpability and the efforts made by the organization to correct the violation once it is identified. The full description of the four HIPAA violation categories summarized below can be found in §160.404 of the Administrative Simplification provisions:
- Category 1: A violation that the organization was unaware of and could not have realistically avoided had a reasonable amount of care had been taken to comply with HIPAA.
- Category 2: A violation of HIPAA that the organization should have been aware of but could not have avoided even with a reasonable amount of care.
- Category 3: A violation directly due to “willful neglect” of the HIPAA Rules, in cases where an attempt has been made to correct the violation.
- Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days.
The HIPAA Violation Penalty Structure
While the HIPAA violation categories listed above determine culpability, the actual amount of a Civil Monetary Penalty or settlement falls within minimum and maximum limits allowed per category. These limits were originally established in the HITECH Act and have subsequently been amended to account for inflation.
|Penalty Category||Level of Culpability||Minimum Penalty per Violation||Maximum Penalty per Violation||Annual Penalty Limit (2022)|
|1||Lack of Knowledge||$127||$63,973||$1,919,173|
|4||Willful Neglect not Corrected within 30 days||$63,973||$1,919,173||$1,919,173|
The HIPAA Violation Tiers Revised
In 2019, the Department of Health and Human Services re-examined the text of the HITECH Act and determined that the language had been misinterpreted. It was determined the maximum penalty limit should be revised for three of the four HIPAA violation tiers, with the annual limits being reset to those originally stipulated by the HITECH Act and then amended to account for inflation.
The consequence was that the annual penalty limit for Category 1 penalties is now less than the maximum penalty per Category 1 violation. This anomaly is expected to be addressed in future rulemaking, but – from 17 March 2022 – the following limits are being applied to HIPAA violation penalties via an indefinite notice of enforcement discretion.
|Penalty Category||Level of Culpability||Minimum Penalty per Violation||Maximum Penalty per Violation||Annual Penalty Limit (2022)|
|1||Lack of Knowledge||$127||$63,973||$30,487|
|4||Willful Neglect not Corrected within 30 days||$63,973||$1,919,173||$1,919,173|
Attorney Generals and HIPAA
The HITECH Act also gave State Attorneys General the power to hold organizations accountable for violations of HIPAA when PHI of state residents is exposed in a data breach. State Attorneys General can issue fines for HIPAA violations of up to $25,000 in addition to the HIPAA violation penalties imposed by federal agencies and file civil actions against the organization with federal District Courts.
At present only the states of Connecticut, Massachusetts, Indiana, Vermont, and Minnesota have exercised the right to hold organizations accountable for violations of HIPAA. However, since State Attorneys General offices can retain a percentage of the penalties collected, more attorneys general may decide to issue fines for HIPAA violations in the future.
HIPAA Criminal Penalties
When individuals are responsible for the theft, loss, or unauthorized disclosure of PHI, the most common consequence is the loss of employment. However, in the most serious HIPAA violations, criminal charges can be filed against the individual(s) responsible.
Criminal penalties for HIPAA violations are divided into tiers and several factors are considered which will affect the criminal penalty. If an individual has profited from the theft, loss, or unauthorized disclosure of PHI, it may be necessary for all moneys received to be refunded in addition to the payment of a fine and/or jail time. The tiers for HIPAA criminal penalties are:
- Tier 1: Reasonable cause or no knowledge of violation – Up to 1 year in jail
- Tier 2: Obtaining PHI under false pretenses – Up to 5 years in jail
- Tier 3: Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail
State Attorneys General are cracking down on data theft and are keen to make examples out of individuals found to have violated HIPAA Privacy Rules. A jail term for the theft of HIPAA data is therefore highly likely, as this is a strong signal to those tempted by the potential financial gains. HIPAAJournal.com maintains a list of jail terms for HIPAA violations by employees.
Unknowing Violation of HIPAA
Ignorance of the HIPAA Rules is not regarded as a justifiable defense when an organization is investigated for violating HIPAA. An example of this occurred in 2017 when the remote cardiac monitoring service CardioNet was fined $2.5 million for failing to fully understand the HIPAA requirements and subsequently failing to conduct a complete risk assessment.
Because of the incomplete risk assessment, the unsecured PHI of 1,391 individuals was potentially disclosed as the result of an employee error. A laptop containing the data was stolen from a car parked outside the employee´s home. Office for Civil Rights Director Roger Severino described this incident as a case of unknowingly violating HIPAA by disregarding security and not safeguarding the information properly.
HIPAA Compliance Audits and Penalties for HIPAA Violations
If the Office for Civil Rights conducts a HIPAA compliance audit, and a Covered Entity or Business Associate is found not to be in compliance with HIPAA, the Office for Civil Rights has the authority to issue penalties for HIPAA violations even if there has been no breach of unsecured PHI or no complaint.
The first phase of HIPAA compliance audits was conducted in 2011/2012 and revealed many Covered Entities were struggling with compliance. The Office for Civil Rights provided technical assistance to help correct areas of noncompliance and no penalties for HIPAA violations were issued at the time. They were given several years to improve their performance before another audit was scheduled.
The audits discovered that the biggest area of noncompliance was the failure to conduct a comprehensive, organization-wide risk assessment. Risk assessments are critical to a Covered Entity´s compliance efforts. If a risk assessment is not conducted, a Covered Entity will be unaware of any vulnerabilities that pose a risk to the confidentiality, integrity, and availability of PHI.
The failure to complete Business Associate Agreements (BAAs) with third-party service providers can also result in penalties for HIPAA noncompliance. In September 2016, the Care New England Health System was fined $400,000 for HIPAA noncompliance that included the failure to revise a BAA originally signed in March 2005.
HIPAA Violation Penalties: FAQs
What is a HIPAA violation?
A HIPAA violation is a failure to comply with any applicable provisions in the Administrative Simplification provisions. There does not have to be a data breach for a HIPAA violation to occur, and penalties can be imposed for (for example) the failure to provide staff training, the failure to allow patients access to PHI, and the failure to retain documents for the required time.
What constitutes a HIPAA violation?
The failure to develop and enforce HIPAA-compliant policies and procedures can also constitute a HIPAA violation. If there are no policies or procedures to guide staff on how to perform their roles compliantly, and a data breach subsequently occurs, organizations can be sanctioned for the failure to develop policies and the failure to train staff on policies as well as for the data breach.
What are the consequences for violating HIPAA?
This depends on the nature of the violation and how much harm results from the violation. If a violation occurs that “the Covered Entity was unaware of and could not have realistically avoided had a reasonable amount of care had been taken to comply with HIPAA” the consequences will be relatively minor. However, if a individual violates HIPAA contrary to the policies enforced by their employer, they could lose their job and spend up to ten years in jail.
What is the civil penalty for unknowingly violating HIPAA?
The civil penalty for unknowingly violating HIPAA is no different from the civil penalty for knowingly violating HIPAA because there is no justification for a Covered Entity – or an individual trained on a Covered Entities policies – to be unaware of the Rules. Each Covered Entity is required to appoint a HIPAA Privacy Officer and a HIPAA Security Officer, and it is these Officers´ responsibility to ensure every employee and Business Associate is aware of their HIPAA compliance obligations.
What Rule sets the penalties for violating HIPAA regulations?
The penalties for violating HIPAA regulations were first established in the HIPAA Enforcement Rule in 2005. Subsequent amendments were included in the HITECH Act (2009) and the Omnibus Final Rule (2013) and the current penalties for violating HIPAA regulations are codified under 45 CFR § 160.404 and 45 CFR Part 102 – The Adjustment of Civil Monetary Penalties for Inflation.
What is the penalty for noncompliance with HIPAA?
As mentioned in the above article, the most common penalties for noncompliance with HIPAA include enforced changes to privacy practices, corrective action, and technical assistance. Fewer than 1-in-2,500 complaints received by the Office for Civil Rights result in a Civil Monetary Penalty for noncompliance with HIPAA.
What are the fines for HIPAA violations?
When a federal enforcement agency issues a Civil Monetary Penalty for noncompliance with HIPAA, fines for HIPAA violations currently range between $127 per violation and $1,919,173 per violation depending on factors such as the nature of the violation, the precautions put in place to prevent the violation, the organization´s previous compliance history, and the amount of cooperation provided by the organization during an agency´s investigation.
What consequences are possible with a Tier 3 violation?
A single Tier 3 violation attributable to willful neglect can attract penalties of up to $63,973 if the reason for the violation is corrected within 30 days of being identified, or up to $1,919,173 if the reason for the violation is not corrected within 30 days of being identified.
What are the 3 types of HIPAA violations?
Although the 3 types of HIPAA violations are discussed above, they could be better described as 1) an organization has made reasonable efforts to comply with HIPAA, 2) the failing was attributable to lack of monitoring or oversight, and 3) the organization made little or no effort to comply with HIPAA despite knowing it had to.
What is considered a HIPAA violation?
This question was also previously discussed, but it is important to reiterate that any failure to comply with the applicable provisions of the Administrative Simplification provisions is considered a HIPAA violation – even if the compliance failure does not result in a data breach.
What are the types of penalties under HIPAA?
There are three types of penalties under HIPAA. Ignoring technical assistance (which is not a penalty), organizations may be required to comply with a Corrective Action Plan and/or required to pay a Civil Monetary Penalty/settlement. The CMS also has the authority to exclude a Covered Entity from participation in the Medicare program.
Can you be fined on a personal basis for HIPAA violations?
Yes. If an investigation into a HIPAA violation finds evidence of a criminal offense, the investigation is referred to the Department of Justice under §1320d-6 of the Social Security Act – “Wrongful Disclosure of Individually Identifiable Health Information”.
If an individual is convicted of a criminal offense under this section of the Social Security Act, the Department of Justice can issue fines of up to $50,000 (reasonable cause), $100,000 (false pretenses), or $250,000 (personal gain/malicious intent) in addition to a custodial sentence.
What are the penalties for violating HIPAA that can be issued by the FTC?
The FTC can issue the same penalties for data breaches as HHS´ Office for Civil Rights. However, in September 2021, the FTC warned vendors of personal health records and PHR-related entities that the failure to comply with the Breach Notification Rule could attract additional penalties of up to $43,792 per violation per day.
What is the most severe HIPAA violation tier?
The most severe HIPAA violation tier is Category 4 – will neglect of the HIPAA Rules with no correction within 30 days. Violations of this nature are the most common to be pursued by State Attorneys General; and, while there is no private right of action under HIPAA, several substantial settlements have been obtained in subsequent antitrust class actions.
What is the maximum criminal penalty that you could be subject to if you violate HIPAA?
The maximum criminal penalty you could be subject to if you violate HIPAA is a $250,000 fine and a custodial sentence of ten years. However, if the perpetrator is a healthcare professional, it is likely they will have their license to practice revoked; while, if the perpetrator is a health plan, it will likely lose its license to provide insurance services nationwide.
What is a HIPAA violation in the workplace?
Whereas most HIPAA violations are attributable to organizations failing to implement policies and procedures to comply with the Administrative Simplification provisions, the term “HIPAA violation in the workplace” usually refers to a member of the organization’s workforce failing to comply with an organizational policy or procedure.
In most cases, the penalty for a HIPAA violation in the workplace depends on the content of the organization´s HIPAA sanctions policy. However, if the violation is reported to a federal agency and it involves a potentially criminal offense, the penalty could be out of the organization´s hands and dependent on how the Department of Justice views the violation.
Can employees be fired for violating HIPAA?
Employees can be fired for violating HIPAA depending on the nature of the violation, the content of the employer´s sanctions policy, and the previous conduct of the employee. Serious violations of HIPAA – for example, posting patients´ PHI on social media without their authorization – is likely to get an employee fired for a first offense, but lesser violations – for example, disclosing more than the minimum necessary PHI in the workplace – will likely result in a verbal warning, or a written warning for a repeated violation.
What is the largest ever fine for a HIPAA violation?
The largest ever fine for a HIPAA violation occurred in 2018 when Anthem Inc. reached a settlement agreement with HHS´ Office for Civil Rights in the amount of $16 million in respect of a data breach that exposed the PHI of 78.8 million individuals. Subsequent civil actions brought by State Attorneys General and individuals impacted by the data breach resulted in further settlements of $39.5 million and $115 million respectively.
What happens to the money collected in HIPAA violation fines?
At present, the money collected in HIPAA violation fines and settlements by HHS´ Office for Civil Rights is paid into the U.S. Treasury General Fund. However, in 2022, HHS issued a Request for Information seeking comments on a yet-to-be-enacted clause of the HITECH Act that advocates “settlement sharing” with individuals who have experienced harm as a consequence of a HIPAA data breach.
Is it a HIPAA violation to email PHI to patients?
It is a HIPAA violation to email PHI to patients unless the patients have requested to receive PHI by email and have been warned of the consequences of communicating PHI over unsecure channels of communication. Both the patients´ requests and the warnings should be documented to respond to any future complaints if PHI sent in an email is corrupted or accessed without authorization during transit or once at rest on the recipients’ devices.
Can you be sanctioned for an accidental HIPAA violation?
You can be sanctioned for an accidental HIPAA violation because, with the exception of knowingly obtaining PHI for personal gain, neither the Privacy Rule nor the Security Rule distinguish between deliberate and accidental HIPAA violations. Therefore, a member of a Covered Entity´s workforce could be sanctioned for an accidental HIPAA violation – although this will depend on the content of a sanctions policy and how the policy is applied in each event.
Are lost medical records a HIPAA violation?
Lost medical records are a HIPAA violation because – even though they are lost – they are a “disclosure” not permitted by the Privacy Rule. Additionally, if the medical records were maintained electronically, losing the medical records demonstrates a lack of compliance with the Audit Control standard of the Security Rule.
Because the medical records are lost, the HIPAA violation is a notifiable event under the Breach Notification Rule unless a Covered Entity or Business Associate can demonstrate “a low probability that PHI has been compromised”. As it is not possible to know whether PHI has been compromised or not, this exception does not apply.
Are HIPAA violations criminal?
Some HIPAA violations are criminals. although most are civil matters. A criminal HIPAA violation occurs when the violation is attributable to an individual knowingly obtaining or disclosing individually identifiable health information – usually for personal gain. In such cases, the violation may be referred by HHS´ Office for Civil Rights to the Department of Justice for a criminal investigation. If found guilty, the individual can be fined up to $250,000 and sentenced to up to ten years in jail.
Are penalties for HIPAA violations always due to data breaches?
Historically, penalties for HIPAA violations were most often due to data breaches. However, in recent years, HHS´ Office for Civil Rights has pursued enforcement action against Covered Entities that refuse patients´ requests to obtain a copy of PHI or an accounting of disclosures. Although the agency still issues penalties for HIPAA violations that result in data breaches, dozens of Covered Entities have been fined for patients´ rights violations.
How does HHS´ Office for Civil Rights find out about HIPAA violations?
HHS´ Office for Civil Rights most often finds out about HIPAA violations in two ways. The first is via the OCR Portal – an online service that can be used by individuals and workforce members to file complaints against a Covered Entity or Business Associate. The second way in which HHS´ Office for Civil Rights finds out about HIPAA violations is when a Covered Entity notifies the agency of an unauthorized disclosure of unsecured PHI.
If a common workplace practice violates HIPAA, what happens then?
There are a number of circumstances in which a common workplace practice may violate HIPAA, and the consequences of the violation depends on who is responsible for allowing the non-compliant workplace practice to exist or develop.
Covered Entities and Business Associates are required to develop policies and procedures that comply with HIPAA and monitor compliance with them. If an organization fails to develop compliant policies and practices or fails to monitor compliance – due to which non-compliant workplace practices develop – the organization is violating HIPAA.
However, if a common workplace practice develops that violates HIPAA, that workplace members have been told about, and that could not have been identified if monitored (for example, sharing passwords to EHR systems), each individual that engages in the non-compliant workplace practice is violating HIPAA and could be sanctioned when the non-compliance is identified.
Can businesses not covered by HIPAA be fined for HIPAA violations?
Some businesses not covered by HIPAA can be fined for HIPAA violations. For example, vendors of connected health apps that collect or use consumers´ health information are not covered by the HIPAA privacy or Security Rules, but are required to comply with the Breach Notification Rule. The FTC has previously fined businesses of this type that have failed to notify consumers when their unsecured data has been breached.
What role does CMS have in enforcing HIPAA compliance?
The Centers for Medicare and Medicaid Services (CMS) enforces the HIPAA Administrative Requirements relating to claims transactions (45 CFR Part 162). Although the CMS has never issued a fine for a HIPAA violation, it investigates complaints relating to claims transactions and can require Covered Entities and Business Associates to comply with a Corrective Action Plan.
Is it a HIPAA violation if medical information is sent to the wrong person?
It is a HIPAA violation if identifying medical information is sent to the wrong person because the recipient of the information is not authorized to receive the information and therefore the disclosure is not permitted by the Privacy Rule. Whether or not the violation is a notifiable event (to HHS and the subject of the information) depends on who received the information and the likelihood of the information being further disclosed.
Are all reports of HIPAA violations made to HHS´ Office for Civil Rights?
Although thousands of reports of HIPAA violations are made to HHS´ Office for Civil Rights every year, HIPAA violations can also be reported to the organization at which the violation occurred or to the State Attorneys General. However, if the violation resulted in a breach of unsecured PHI, the organization or State Attorney General must escalate the report to HHS´ Office for Civil Rights.
How long do you have to report a HIPAA violation?
How long you have to report a HIPAA violation depends on the nature of the violation. If you are filing a complaint about a HIPAA violation to HHS´ Office for Civil Rights, you have 180 days from the discovery of the violation to report it. Complaints made to Covered Entities and State Attorney Generals do not have the same time limitations, but both can decline to respond to a report or complaint if it is unreasonable to do so.
HIPAA violations that result in impermissible disclosures of PHI or data breaches must be reported to affected individuals and HHS´ Office for Civil Rights within 60 days from the discovery of the violation. The exception to this rule is when a data breach affects fewer than 500 individuals, in which case reports to HHS´ Office for Civil Rights can be delayed until the end of the year (individuals still have to be notified within 60 days).