Call Us Today 314-272-2600 |

Updated May 28, 2019

Thousands of patient records breached. Millions of dollars in fines following nightmarish lawsuits. The news is full of harrowing stories of healthcare organizations caught in HIPAA violations, exposing sensitive patient data, and worse. Maybe you watch these stories unfold, biting your nails and hoping no such disaster befalls your organization.

But what determines the severity of a HIPAA violation? Why are some penalties much greater than others? It’s important to know what your organization may be up against if you violate HIPAA rules. Therefore, this post will answer some key questions about HIPAA violations, fines, and penalties:

  • How does HITECH support HIPAA enforcement?
  • What is a HIPAA violation?
  • Who investigates HIPAA complaints?
  • Who enforces HIPAA fines and penalties?
  • What are the fines and penalties for HIPAA violations?

Q: How does HITECH support HIPAA enforcement?

A: The Health Information Technology for Economic and Clinical Health (HITECH) Act was implemented in 2009 to promote the adoption and meaningful use of health information technology, such as electronic medical records. HITECH also gave “teeth” to HIPAA by strengthening the civil and criminal enforcement of the HIPAA rules.

Q: What is a HIPAA violation?

A: A HIPAA violation is a failure to comply with any part of the HIPAA Privacy or Security Rules. There are four violation categories, or tiers. This four-tier categorization system takes into account if the violation was accidental or intentional, as well as the organization’s actions in response to the violation.

  • Category 1: The covered entity (CE) or business associate (BA) did not know about the violation and would not have known about it, even by exercising reasonable diligence.
  • Category 2: The CE knew about the violation or should have known about it by exercising reasonable diligence, which constitutes reasonable cause.
  • Category 3: The violation was due to willful neglect of the HIPAA rules, and the CE corrected it within 30 days of learning of the violation.
  • Category 4: The violation was due to willful neglect, and the CE did not correct it within 30 day of learning of the violation.

READ MORE: Incidental Disclosure vs. Privacy Violation: Train Your Staff

Q: Who investigates HIPAA complaints?

A: The U.S. Department of Health and Human Services Office for Civil Rights (HHS/OCR) investigates HIPAA complaints. Investigations involve audits that may uncover HIPAA violations, leading to civil fines or referral to the Department of Justice (DOJ) for criminal penalties.

Graphic of lawyers and a gavel on a stack of papers, surrounded by money and a scale.

Q: Who enforces HIPAA fines and penalties?

A: The OCR issues civil fines, and the DOJ can impose criminal penalties for HIPAA violations.

Q: What are the fines and penalties for HIPAA violations?

A: The 2013 Omnibus Rule finalized the HIPAA violation penalty structure. Depending on the violation, a CE may get a civil fine, criminal fine/penalty, or both. These penalties are supposed to hold CEs accountable and deter them from violating HIPAA laws.

Civil Fines for HIPAA Violations

The OCR bases civil fines on the severity of the violation according to the four-tier categorization system. Previously, fines reached a maximum of $1.5 million per violation category per year. However, the OCR has recently changed the cap on fines. See the breakdown below.

Tier 1: $100-$50,000 per violation with $25,000 max. Tier 2: $1,000-$50,000 with $100,000 max. Tier 3: $10,000-$50,000 per violation with $250,000 max. Tier 4: $50,000 per violation with $1.5 million max.

Criminal Penalties for HIPAA Violations

The DOJ categorizes HIPAA violations into three tiers, which determine the criminal penalty. See below.

Graphic that says: Tier 1, reasonable cause or no knowledge of violation is up to 1 year jail time, Tier 2, obtaining PHI under false pretenses is up to 5 years jail time, Tier 3, obtaining PHI for personal gain or malicious intent is up to 10 years jail time.

Attorneys General Fines for HIPAA Violations

In 2010, Connecticut State Attorney General Richard Blumenthal became the first state AG to file a HIPAA enforcement action under the HITECH Act. A massive data breach had prompted this pioneering legal action. Health Net, a health insurance company, had lost an unencrypted hard drive containing the protected health information (PHI) of 250,000 plan members. If this wasn’t bad enough, Health Net deliberately delayed notifying victims of the breach for six months, placing patients in even greater danger.

A provision in the HITECH amendments allows state AGs to pursue HIPAA enforcement actions to protect the best interests of state residents. An AG can sue in federal district court to obtain monetary damages on behalf of state residents or to enjoin further violations of HIPAA. Damages are a minimum of $100 per violation and can reach a maximum of $25,000 per violation category per year.

Clearly, the OCR and DOJ take HIPAA compliance seriously. These fines and penalties are meant to hold HIPAA-covered organizations accountable for the privacy and security of patients’ private information and deter them from practices that threaten PHI.

Graphic that says The Beginner's Guide to HIPAA Breach Management. Links to a free download of the guide.

Don’t let data breaches be your downfall. Download our FREE breach management guide. In this step-by-step guide, we take you through the process of breach identification, risk assessment, notification, and documentation. Get your guide now.

Before you go, what are your HIPAA questions? Ask us on our Facebook page or by tweeting to us @hipaatrek.

Please share to your communities