A HIPAA violation can trigger an Office for Civil Rights investigation, mandatory corrective action and monitoring, breach notification duties when unsecured protected health information is compromised, civil monetary penalties or settlement payments, and, for certain knowing misconduct, criminal prosecution with fines and imprisonment.
A report of a potential violation can come from a complaint, a breach report, a compliance review, or an audit activity. The U.S. Department of Health and Human Services Office for Civil Rights may request policies, procedures, risk analysis documentation, training records, business associate agreements, security controls evidence, and incident response materials. An investigation can end with no action, voluntary corrective steps, a resolution agreement with a corrective action plan, or a civil money penalty determination.
Corrective action requirements commonly include revising HIPAA Privacy Rule and HIPAA Security Rule policies and procedures, performing or updating an enterprise-wide risk analysis for electronic protected health information, implementing a risk management plan, retraining workforce members, and applying workforce sanctions that align with written policies. Resolution agreements commonly require periodic reports to the Office for Civil Rights and ongoing federal monitoring for a multi-year term.
Civil monetary penalties are tiered based on the level of culpability and are adjusted for inflation. Penalties can be assessed per violation, and annual caps apply per violation category and calendar year. Recent inflation-adjusted figures used in enforcement range from a minimum of $145 per violation up to $73,011 per violation, with an annual cap that can reach $2,190,294 for the highest tier, depending on the violation category and the enforcement posture applied to the case.
When the conduct involves a breach of unsecured protected health information, the HIPAA Breach Notification Rule adds separate regulatory duties that must be met on specified timelines. Individuals must be notified without unreasonable delay and no later than 60 days after discovery of a breach. For breaches affecting more than 500 residents of a state or jurisdiction, notice to prominent media outlets must also be provided within the same 60-day deadline. Notice to the Secretary is submitted through the federal breach reporting portal, with breaches affecting 500 or more individuals reported within 60 days of discovery and breaches affecting fewer than 500 individuals reported no later than 60 days after the end of the calendar year in which the breach was discovered. Business associates must notify the covered entity of a breach without unreasonable delay and no later than 60 days from discovery so the covered entity can meet required notifications.
Criminal exposure exists when a person knowingly obtains or discloses individually identifiable health information in violation of the HIPAA Privacy Rule. The criminal penalty can include a fine of up to $50,000 and imprisonment up to one year, up to $100,000 and up to five years when the conduct involves false pretenses, and up to $250,000 and up to 10 years when the conduct involves intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm. Criminal prosecutions are handled by the U.S. Department of Justice rather than the Office for Civil Rights.
HIPAA enforcement outcomes can also lead to operational and contractual consequences. Organizations may be required to notify business partners, update business associate agreements, restrict access to systems, and implement new technical safeguards. Workforce members who violate HIPAA policies may be subject to internal discipline up to termination. State attorneys general may bring actions for certain HIPAA-related conduct, and individuals may pursue state-law claims based on the same events even though HIPAA itself does not create a direct private right of action for damages.