What are the Penalties for HIPAA Violations?

What are the Penalties for Violating HIPAA? HIPAAGuide.net

The penalties for HIPAA violations vary depending on the nature of the violations, the degree of harm caused, the number of people affected by the violations, and the previous compliance history of the individual or organization responsible for violating HIPAA. The penalties for HIPAA violations can also vary depending on who violations are reported to.

Financial penalties for HIPAA violations are extremely rare. In 2021 – the most recent year for which data is available – HHS’ Office for Civil Rights received 34,077 complaints alleging HIPAA violations and 64,180 breach notifications, yet issued just fourteen financial HIPAA violation penalties – thirteen of which were settled without an admission of liability.

In addition to the HIPAA violations and breach notifications on the public record, there are likely tens of thousands more that are reported directly to covered entities and dealt with internally. These never result in financial penalties for HIPAA violations unless they are subsequently escalated to HHS’ Office for Civil Rights or to a law enforcement agency for criminal investigation.

However, it is important to be aware that HIPAA violation penalties do not have to be financial in order to incur costs. Members of the workforce who violate HIPAA can find themselves out of work; while organizations that violate HIPAA may be required to comply with a multi-year corrective action plan, implement additional safeguards, and/or provide extra training.

What is a HIPAA Violation?

A HIPAA violation is any failure to comply with a regulation, standard, or implementation specification of the HIPAA Administrative Simplification Regulations (45 CFR Subtitle A – Subchapter C). These not only include the Privacy, Security, and Breach Notification Rules, but also the HIPAA General Requirements, Transaction Rules, and Code Sets.

The compliance failure can be attributable to a covered entity, a business associate, a subcontractor, a medical device vendor or service provider, or a member of the workforce – workforce being defined as any person whose conduct in the performance of work is under the control of a covered organization whether or not they are paid by the covered organization.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Although described as a “failure to comply”, HIPAA violations can be accidental, attributable to a lack of knowledge, or motivated by a desire “to get the job done as well attributable to a willful neglect to be compliant. Because of this range of reasons, HIPAA violation consequences can range from a gentle reminder to be more careful in the future to the maximum penalty for a HIPAA violation of $2,067,813 (per violation) and a potential jail sentence.

HIPAA Violation Penalties for Employees

HIPAA violation penalties for employees and other members of the workforce are set by a covered entity or business associate in their sanctions policy and are not influenced by the text of HIPAA or any subsequent rulemaking. This means that two members of different workforces with the same histories of HIPAA compliance could violate the same HIPAA policy with the same impact, but be sanctioned in different ways.

For example, the violation of an employer’s HIPAA policy relating to the minimum necessary standard could result in one workforce member undergoing refresher training, while the other has a verbal warning recorded on their employment record. This inequality in HIPAA non-compliance penalties could influence how sanctions are applied for subsequent HIPAA violations.

Subsequent HIPAA violation penalties for employees can include written warnings, suspensions, or termination of contract – and, if the nature of a violation is sufficiently serious, further HIPAA non-compliance penalties could include loss of license or a criminal charge for the wrongful disclosure of Protected Health Information (PHI) contrary to the Social Security Act.

Office for Civil Rights HIPAA Violation Fines

When an investigation into a complaint or breach notification identifies an unjustifiable failure to comply with HIPAA, HHS’ Office for Civil Rights may issue HIPAA violation fines or reach settlement agreements with non-compliant parties (also known as “resolution agreements”). When the agency started issuing HIPAA fines, it was mainly for compliance failures that resulted in data breaches.

However, since 2019, the Office for Civil Rights has issued fewer fines for violations of HIPAA that result in data breaches, and more fines for violations of HIPAA that do not result in impermissible disclosures of PHI – such as the denial of patients’ rights, the late (or non-existent) notification of a data breach, and the failure to provide HIPAA training.

The Office for Civil Rights determines the amount of a fine for non-compliance with HIPAA using a four tiered penalty structure. The four HIPAA violation tiers reflect the degree of culpability, and within the minimum and maximum limits per HIPAA violation tier, the agency has the discretion to issue a HIPAA violation fine according to factors such as:

  • The nature of the violation
  • The degree of harm caused
  • The number of people affected by the violation
  • The previous compliance history of the organization
  • The cooperation received during a compliance investigation.

The four HIPAA violation tiers are:

  • Tier 1: A violation that the covered entity was unaware of and could not have realistically known was a violation by exercising due diligence.
  • Tier 2: A violation that the covered entity should have been aware of but was attributable to a lack of oversight (falling short of willful neglect).
  • Tier 3: A violation that occurred due to “willful neglect”, but efforts have been made to address the cause of the violation within 30 days.
  • Tier 4: A violation of HIPAA attributable to willful neglect, where no efforts have been made to address the cause or impact of the violation.

The minimum and maximum HIPAA violation fines within each tier were originally set by the HITECH Act in 2009. However, since 2016, the minimum and maximum limits have been increased annually to account for inflation. The minimum and maximum HIPAA violation fines as of January 2024 are:

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit per Violation
Tier 1 Lack of Knowledge $137 $34,464 $34,464
Tier 2 Lack of Oversight $1,379 $68,928 $137,886
Tier 3 Willful Neglect Addressed with 30 Days $13,785 $68,928 $344,638
Tier 4 Willful Neglect not Addressed within 30 Days $68,928 $68,928 $2,067,813

Other Financial Penalties for HIPAA Violations

It was mentioned previously that the penalties for HIPAA violations can vary depending on who violations are reported to. An example of this might be if a Right of Access complaint is made to a healthcare organization rather than HHS’ Office for Civil Rights. If not subsequently escalated to HHS’ Office for Civil Rights, the complaint made to the healthcare organization would not attract a financial penalty, whereas HHS’ Office for Civil Rights has issued fines as high as $240,000 for Right of Access failures.

With regards to HIPAA violation penalties, HHS’ Office for Civil Rights is not the only agency with the authority to issue fines for HIPAA violations. HHS’ Centers for Medicare and Medicaid has the authority to issue fines for violations of HIPAA Part 162, the Department of Justice can fine individuals or organizations for the wrongful disclosure of PHI under the Social Security Act (§1177), and the Federal Trade Commission can fine organizations for violations of the FTC Act or the HIPAA Breach Notification Rule.

However, in the event of a data breach, the entities most likely to issue financial penalties for HIPAA violations are State Attorneys General. §13410(e) of the HITECH Act gives State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules, and often the penalties resulting from civil actions are much higher than the HIPAA violation fines issued by HHS’ Office for Civil Rights.

Violating Entity OCR Penalty SAG Penalty
Anthem Inc $16 million $48.2 million
Premera Blue Cross $6.85 million $10 million
CHSPCC $2.3 million $5 million
AETNA $1 million $2.72 million
Medical Informatics Engineering $100,000 $900,000

Note: SAG financial penalties for HIPAA violations are additional to Office for Civil Rights HIPAA violation fines.

Indirect HIPAA Violation Penalties

While multi-million dollar financial penalties for HIPAA violations most often grab the headlines, hundreds of covered entities and business associates are required to comply with corrective action plans each year. A corrective action plan can be part of a resolution agreement that includes a reduced financial penalty or a standalone plan in lieu of a HIPAA violation fine.

The content of each corrective action plan varies according to the nature of the violation or cause of a data breach. In some cases it can also include an upstream covered entity or downstream business associate if the corrective actions required of one organization impacts the operations of another. In such cases, organizations can incur costs for HIPAA violations for which they are not responsible.

A typical corrective action plan will consist of multiple elements. A recent example of this is the corrective action plan imposed on the Oregon Health & Science University which required the university to:

  • Conduct a thorough assessment of the risks and vulnerabilities to electronic PHI (ePHI) in all the university’s facilities.
  • Implement interim safeguards until such a time as an enterprise-wide ePHI risk management plan is adopted.
  • Implement measures to ensure workforce compliance with HIPAA and the university’s privacy and security policies.
  • Submit the risk management plan and measures to ensure workforce compliance to HHS for review and revise if required.
  • Implement a mobile device management solution to ensure all ePHI stored on – or transmitted by – mobile devices is encrypted.
  • Implement a technical solution that prevents ePHI from being transferred to unencrypted removable storage devices.
  • Submit security awareness training, incident reporting, and password management plans to HHS for review and revise if required.
  • Provide – and continue to provide – security awareness training for all members of the workforce with access to ePHI.
  • Implement procedures for workforce members to report HIPAA violations, investigate each report, and take action as required.
  • When a member of the workforce is found to have violated HIPAA, report the event and the action taken to HHS.

This particular corrective action plan was imposed in response to the theft of an unencrypted laptop and the failure to enter into a Business Associate Agreement with a cloud storage provider. Although relatively modest in its requirements, compliance with this corrective action plan would have been time-consuming, disruptive, and expensive over its three-year term.

Additional Financial Consequences of HIPAA Violations

In addition to the indirect and direct HIPAA violation penalties already discussed, there are additional financial consequences of HIPAA violations due to individuals losing trust that personal information shared with their healthcare provider will remain confidential. This is because, when individuals fail to share details about their health condition, healthcare providers have incomplete information with which to diagnose illnesses and prescribe courses of treatment, leading to worse patient outcomes.

Worse patient outcomes not only increases costs and the prospects of medical negligence lawsuits; but when a hospital participates in CMS’ Hospital Readmissions Reduction Program, worse patient outcomes can also have a negative impact on income from the Medicare program. In addition, worse patient outcomes can lead to a deterioration in staff morale and retention, which then increases recruitment costs in an increasingly competitive market and training costs thereafter.

For these reasons, it is recommended that HIPAA covered entities and business associates make every reasonable effort to comply with applicable regulations, standards, and implementation specifications of the HIPAA Administrative Simplification Regulations. Organizations that need assistance with HIPAA compliance are advised to seek professional advice from a compliance expert or from the Help Pages of the HHS HIPAA website.

About Daniel Lopez
Daniel Lopez is a HIPAA trainer, passionately committed to enhancing healthcare data protection and privacy standards. As a recognized expert in HIPAA compliance, he holds the role of HIPAA specialist at The HIPAA Guide. Holding a degree in Health Information Management, complemented by certifications in data privacy and security, Daniel's academic and professional credentials are a testament to his expertise. His approach to training is both engaging and educational, catering to a range of professional needs in the healthcare sector. For further information or to benefit from his expertise, Daniel is reachable through HIPAAcoach.com or https://twitter.com/DanielLHIPAA