Understanding the Penalties for HIPAA Non-Compliance

Man Surprised at Penalties for HIPAA Non-Compliance

HIPAA violation penalties can be severe, and both healthcare providers and business associates need to be aware of the risks that come with violating HIPAA Rules. This article provides the healthcare industry with an overview of the different tier types of penalties for HIPAA violations, potential civil penalties, examples of common violations, and information on how to ensure your HIPAA compliance efforts are successful. Read on to learn more!

In this Article …


HIPAA Violation Classifications

Under HIPAA regulations, violations for non-compliance are classified into four categories that largely depend on whether the breach was due to willful neglect or if it was unintentional, how avoidable it may have been, and how the HIPAA covered entity (healthcare providers, insurance companies, and healthcare clearinghouses) responded to resolve violations. Those tiers are as follows:

Tier 1 HIPAA Violation:
  • The covered entity was unaware of the HIPAA breach and could not have avoided this violation with reasonable care.
Tier 2 HIPAA Violation:
  • The covered entity did not act with any willful neglect that caused the HIPAA breach, but they did not utilize due diligence to comply either.
Tier 3 HIPAA Violation:
  • The covered entity demonstrated willful neglect that caused the HIPAA breach, but proceeded to correct the flagged issues.
Tier 4 HIPAA Violation:
  • The covered entity demonstrated willful neglect that caused the HIPAA breach, and they did not correct the flagged issues.


What are the Penalties for HIPAA Non-Compliance?

The penalties for HIPAA non-compliance are based on the tier of the violation committed, as well as if the covered entity has been cited for repeat violations. These HIPAA violation penalties originally ranged from $100 to $50,000 per incident, with a maximum fine of $1.5 million per year for violations of an identical provision. And willful neglect penalties had a minimum fine of $10,000 per violation. However, in the Federal Civil Monetary Penalties Inflation Adjustment Act Improvements Act, passed by Congress in 2015, HHS was required to raise civil money penalties to keep in line with inflation. Consequently, the dollar amounts for these civil penalties are now adjusted annually.

In 2019 the Department of Health and Human Services revisited the language in the HITECH Act and decided that maximum penalties had been interpreted improperly. Instead of the original schedule of penalties that was announced, it was determined that the maximum penalty should be revised downward for the first three violation tiers, and then adjusted annually for inflation.

An odd outcome of the above was that in Tier 1 the annual penalty limit for violating HIPAA regulations is higher than the maximum penalty per violation. This is certain to be addressed as further rule clarifications roll out.

To date, OCR settled or imposed a civil money penalty in 126 cases resulting in a total dollar amount of $133,519,272.00. With the above in mind, below are the four tiers of HIPAA violations, along with their current (as of 2022) civil monetary penalties.

Penalties for Tier 1 HIPAA Violations:
  • Start at $127 and max out at $63,973 per violation, with an annual maximum penalty of $30,487.
Penalties for Tier 2 HIPAA Violations:
  • Start at $1,280 and max out at $63,973 per violation, with an annual maximum penalty of $121,946.
Penalties for Tier 3 HIPAA Violations:
  • Start at $12,794 and max out at $63,973 per violation, with an annual maximum penalty of $304,865.
Penalties for Tier 4 HIPAA Violations:
  • Start at $63,973 and max out at $1,919,173 per violation, with an annual maximum penalty of $1,919,173 million.


Are HIPAA Violations Criminal?

While not all HIPAA violations are criminal, certain ones may be subject to criminal penalties. For example, suppose a HIPAA violation is found to have been caused by the intentional misrepresentation of facts to the Secretary of Health and Human Services. In that case, that party could be subject to criminal penalties including imprisonment. Additionally, covered entities that knowingly and willfully disclose protected health information in violation of HIPAA can be subject to criminal penalties. The table below demonstrates the tiers of criminal HIPAA violations and their consequences.

Class A Felony:
  • Committed with the intent of selling or transferring protected health information (PHI) for commercial or personal gain, or to do so with malicious intent. Up to 10 years in jail and a fine of $250,000.
Class B Felony:
  • Committed false pretenses. Up to 5 years in jail and a fine of $125,000.
Class C Felony:
  • Knowingly obtain or disclose individually identifiable health information. Up to 2 years in jail and a fine of $50,000.


Who enforces HIPAA?

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcement of the HIPAA Privacy, Security, and Breach Notification Rules. OCR received over 34,000 complaints in 2021. Complaints to OCR may be filed by individuals or entities. Enforcement actions are made public on OCR’s website, which has been informally dubbed “The HIPAA Wall of Shame“. In addition to complaint investigations, OCR also conducts compliance reviews and audits of HIPAA-covered entities and their business associates. These are proactive reviews that OCR initiates to assess compliance with the Rules. Audit results are shared with the covered entities and their business associates, and may also be made public. Finally, as part of their HIPAA enforcement program, OCR provides technical assistance to help covered entities and business associates understand and comply with the requirements of the HIPAA Rules. Technical assistance resources include publications, webinars, presentations, and other resources.


What are Some Examples of the Most Common HIPAA Violations?

HIPAA sets the standard for protecting sensitive patient data. Any company that handles PHI must ensure that all the necessary physical, technical, and administrative security measures are in place and followed.

The following table provides examples of some of the most common HIPAA violations …


Unauthorized Access/Disclosure
  • Employees accessing information of patients not under their care.
  • Sharing patient information with unauthorized individuals.
Impermissible Uses and Disclosures of PHI
  • Sharing PHI with third parties without valid authorization.
  • Discussing patient information in public areas where it can be overheard.
Data Breach of Unsecured PHI
  • Failure to properly secure PHI, whether through encryption or other means, thereby leading to unauthorized access or disclosure.
Insufficient Safeguards for PHI Transmission
  • Transmitting PHI over networks without adequate safeguards, which might include, but is not necessarily limited to, encryption. This involves ensuring the confidentiality and integrity of PHI when it is transferred electronically.
Mishandling Medical Records
Loss or Theft of Devices
  • Losing devices (like laptop computers, tablets, or smartphones) that contain unencrypted PHI.
Insufficient Access Controls
  • Not revoking access rights to PHI when employees leave the organization or change roles.
Failure to Conduct a Risk Analysis
Lack of Employee Training
  • Not training employees on HIPAA regulations and how to properly handle PHI.
Improper Marketing or Fundraising Communications
Failure to Notify Following a Data Breach
  • Not notifying individuals affected by a breach within the required timeframe.
Denying Patients Access to Their Health Records
  • Not providing patients with access to their health records within the stipulated time frame.
  • Charging a patient excessive fees for copies of their health records.
Sending PHI to the Wrong Recipients
Using Mobile Devices without Proper Security Measures
  • Storing PHI on personal mobile devices without the necessary security controls.
Ransomware and Malware Attacks
Failure to Enter into Business Associate Agreements

Each of the above are examples of the types of things that a well-implemented HIPAA compliance plan can help to avoid … and thereby also avoid the potential HIPAA violation penalties that are often associated with such incidents.


How can Covered Entities Ensure Compliance with HIPAA Rules?

There are a number of steps that covered entities can take to prevent HIPAA violations. These include …

Designating a HIPAA compliance officer:

Every covered entity must have a designated individual responsible for compliance with HIPAA Privacy and Security Rules. This person is typically the privacy officer or security officer.

Establish a Compliance Committee:

A compliance committee helps the covered entity meet its obligations under the HIPAA Privacy, Security, and Breach Notification Rules. The committee should be made up of members from different areas of the organization, including one or more members from management. The compliance committee’s activities should be designed to promote compliance with policies and procedures and to prevent and detect non-compliance. The committee should also review complaints about the covered entity’s compliance with HIPAA and investigate any incidents of non-compliance. By providing HIPAA enforcement and effectively carrying out these activities, the compliance committee can help the covered entity avoid HIPAA penalties for non-compliance.

Developing policies and procedures for complying with HIPAA rules:

Covered entities must develop written policies and procedures that address all required and addressable aspects of the HIPAA Privacy, Security, and Breach Notification Rules.

Providing training to employees on HIPAA compliance:

For all employees who have access to PHI, receiving training on the requirements of the HIPAA Privacy and Security Rules is the hallmark of an effective HIPAA compliance program. Training should be provided on an ongoing basis at least annually, as new employees are hired, and when changes to policies or procedures are made.

Implementing physical, technical, and administrative safeguards:

HIPAA regulations require that covered entities put in place physical, technical, and administrative safeguards to protect the confidentiality, integrity, and availability of PHI. Physical Safeguards are a set of rules and guidelines outlined in the HIPAA Security Rule that focus on the physical access to Protected Health Information (PHI). In contrast, Administrative Safeguards focus on policy and procedures, while Technical Safeguards focus on data protection such as:

  • Access Control. A HIPAA covered entities must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
  • Audit Controls
  • Integrity Controls
  • Transmission Security

Conducting a HIPAA Risk Assessments:

As part of their security management process, covered entities must conduct regular HIPAA risk assessments to identify potential threats and vulnerabilities and to determine the level of risk posed to the confidentiality, integrity, and availability of protected health information. A Risk Assessment should be conducted on an ongoing basis, as needed.

Responding promptly to detected offenses and undertaking corrective action:

All covered entities should have a HIPAA Compliance Program that is quick to take corrective action on detected offenses. Corrective action might include implementing new policies and procedures, providing training to staff members, and/or reporting non-compliance to the Department of Health and Human Services Office for Civil Rights (OCR)

Execute business associate agreements with all appropriate third parties:

Covered entities must have a business associate agreement in place with any third party that creates, receives, maintains, or transmits PHI on their behalf. These agreements must contain certain provisions as required by HIPAA, including specifying the permissible uses and disclosures of PHI by the business associate, as well as identifying the covered entity’s obligations with respect to safeguarding PHI. If you don’t have one already, you can download our business associate agreement template. It’s a reusable PDF fillable form that complies with all of the most recent requirements, and it’s ready to be used with all of your business associates.


Now that You Better Understand HIPAA Compliance and the Penalties for HIPAA Violations …

HIPAA penalties can be imposed for a variety of violations, ranging from non-compliance with the HIPAA Privacy Rule to failure to adhere to the requirements of the HIPAA Security Rule. And, as you can see, the civil and criminal penalties for each type of violation are tiered, with increasing harshness for more serious violations. And regardless of tier, repeat violations may carry higher penalties as well.

Healthcare organizations can take a number of steps, like those outlined above, to ensure compliance with HIPAA Rules. However, given the complex nature of HIPAA compliance, it is often best to seek help from qualified experts, like The Fox Group, who can assist with ensuring success.

When you need proven expertise and performance