What happens if HIPAA is violated?


Whether accidental or intentional, what happens if HIPAA is violated? Can employees be fired for violating HIPAA? What penalties are there for covered entities? These will all be explored in more detail below. 

The consequences for HIPAA violations will usually depend on the severity of the violation, whether it was accidental or intentional, and what measures were taken after the violation was discovered to limit its impact. 

Accidents happen, and even employees that have received rigorous HIPAA training can violate HIPAA. Something as simple as sending an email to the incorrect recipient, or leaving files in view of the public, can lead to a violation. Once it is known that HIPAA has been violated, the employee should notify the covered entity’s HIPAA Compliance Officer. The officer can then assess the impact of the violation, whether any data has been breached, and decide the next steps. 

Minor violations may be dealt with in-house, perhaps with the employee involved in the violation receiving extra training or perhaps a warning. In more severe cases, the employee may lose their job and be reported to their professional licensing body. However, none of these penalties are stipulated by HIPAA, and will depend on the CE’s own policies. 

If the violation leads to a data breach that affects more than 500 patients, it must be reported to the Department for Health and Human Service’s Office for Civil Rights (OCR) within 60 days of its discovery. Large media outlets that serve the local area must also be notified. 

Again, depending on the scale of the breach, the OCR may issue different penalties. In some cases, they may simply require that the CE provides additional training to their employees, or design and implement an action plan. In other cases when HIPAA is violated, they may issue civil or criminal penalties. The severity of these penalties will depend on the “Tier” the violation falls under. 

The civil penalty tiers are as follows:

  • Tier 1: accidental or incidental HIPAA violations that was not preventable even with a reasonable level of diligence. The minimum penalty is $100 per violation up to a maximum of $25,000 for repeat violations.
  • Tier 2 applies when the employee should have been aware of the violation, but where reasonable diligence would still not have prevented it. A minimum fine of $1,000 per violation, up to $100,000 for repeat violations.
  • Tier 3 applies to violations involving willful neglect, though corrections were made within the required time period. The minimum fine is $10,000 per violation up to a maximum of $250,000 for repeat violations.

Tier 4: willful neglect of HIPAA Rules with no attempt to correct the violation. The minimum penalty is $50,000 per violation up to a maximum of $1.5 million for repeat violations.

Criminal penalties are even rarer, though may be applied in the case of particularly severe violations; 

  • Tier 1: negligence and reasonable cause. Can receive a fine of up to $50,000 and up to one year in prison
  • Tier 2 : PHI has been obtained under false pretenses. Can receive a fine of up to $100,000 and up to 5 years in prison
  • Tier 3: PHI is obtained for personal gain or with malicious intent. Can receive a fine of up to $250,000 and up to 10 years in prison