What are the Penalties for Breaking HIPAA Rules?


HIPAA states that covered entities must conduct training for staff to ensure HIPAA Rules and regulations are fully comprehended.

As part of this HIPAA training, healthcare staff must learn the possible penalties for HIPAA breaches.

If you break HIPAA Rules fours things may happen. Firstly, the violation could be managed internally by an employer. Secondly, you could be sacked. Thirdly, you may be imposed with sanctions from professional boards and lastly, you could face criminal charges which include fines and imprisonment

Which of these takes place will depend on what the violation entailed. There are many factors to take into account when determining this including:

  1. If there was knowledge that HIPAA Rules were being breached, or by using due diligence, it should have been obvious that HIPAA Rules were being violated
  2. Whether steps were implemented to address the violation
  3. Whether there were malicious aims or HIPAA Rules were violated for personal profit
  4. The damage caused by the violation(s)
  5. The amount of people impacted by the breach
  6. Whether there was a breach of the criminal provision of HIPAA

Civil Sanctions for HIPAA Breaches

Civil financial sanctions for HIPAA violations begin at $100 per violation by any individual who breaches HIPAA Rules. The fine can increase to $25,000 if there have been multiple violations of the same sort. These penalties are applied when the individual was conscious that HIPAA Rules were being violated or should have been aware had due diligence been used. If there was no willful neglect of HIPAA Rules and the violation was addressed within 30 days from when the employee knew that HIPAA Rules had been breached, civil penalties will not be applicable.

Criminal Penalties for HIPAA Breaches

The criminal penalties for HIPAA violations can be significant. The lowest punishment for willful violations of HIPAA Rules is $50,000. The highest possible criminal penalty for a HIPAA violation by an individual is $250,000. Restitution may also need to be paid to the victims. Along with the financial penalty, a jail term is likely for a criminal violation of HIPAA Rules.

As with the penalties for HIPAA breaches for HIPAA covered entities and business associates, there are penalty levels.

Criminal violations that take place due to negligence can lead to a prison term of up to 1 year. Obtaining protected health information under false pretenses brings a maximum prison term of 5 years. Knowingly breaching HIPAA Rules with malicious intent or for personal gain can lead to a prison term of up to 10 years in jail. There is also a mandatory two-year jail term applied in relation to instances of aggravated identity theft.