The penalties for non-compliance with HIPAA vary considerably according to the nature of the non-compliant event, the degree of culpability, the harm the event has caused, the compliance history of the individual or organization, and their cooperation with investigations conducted by HHS´ Office for Civil Rights, State Attorneys General, and the Department of Justice.
As of March 2022, the HHS Office for Civil Rights has investigated and resolved nearly thirty thousand cases of non-compliance with HIPAA. A further fifty thousand cases have been resolved without an investigation inasmuch as the Office for Civil Rights intervened at an early stage and provided technical assistance to Covered Entities and Business Associates.
In the majority of these cases, the penalties for non-compliance with HIPAA have consisted of changes in privacy practices and corrective actions – which, although non-financial penalties, require Covered Entities to dedicate resources to risk assessments, policy development, and workforce training. In many cases, compliance is monitored for months or years.
To date, only 110 investigated cases have resulted in civil financial penalties for non-compliance with HIPAA. These have ranged in dollar values from $3,500 to $16 million – but, in the latter case, the non-compliant Covered Entity also paid $48.2 million to settle a multi-state investigation by State Attorneys General, plus a further $115 million to settle a class action lawsuit.
How Civil Financial Penalties are Calculated
Civil financial penalties for non-compliance with HIPAA are calculated using a four-tier scale. Each tier represents a degree of culpability; and, within each tier, there are minimum and maximum amounts the Office for Civil Rights can issue as fines per violation. There is also a maximum amount the Office of Civil Rights can fine a Covered Entity or Business Associate per year per violation type.
The likelihood of the Office for Civil Rights issuing a fine – and the amount of the fine within each tier – can be influenced by the nature of the non-compliant event, the compliance history of the individual or organization, and their cooperation in an investigation. For this reason, two Covered Entities might violate HIPAA in exactly the same way but receive significantly different fines.
Since the passage of the HITECH Act in 2009, State Attorneys General have had the authority to hold HIPAA-covered entities accountable for the unauthorized disclosure of PHI belonging to state residents. State Attorneys General can issue fines of between $100 and $25,000 per violation per unauthorized disclosure in addition to any fine issued by the Office for Civil Rights.
Criminal Penalties for Non-Compliance with HIPAA
If the Office for Civil Rights receives a complaint or conducts an investigation which may involve a criminal violation of HIPAA, the case is referred to the Department of Justice. The Department of Justice can pursue a criminal conviction if there is evidence that an individual or organization “knowingly” disclosed or obtained individually identifiable health information in violation of HIPAA.
Cases referred to the Department of Justice most usually concern the theft of patient data for financial gain and unauthorized disclosures of PHI with the intent to cause harm. In these circumstances, “knowingly” refers to knowledge of the facts that constitute the offense – not that the individual or organization has knowingly violated HIPAA.
Similar to the way in which civil financial penalties are calculated, a tiered structure exists for criminal penalties for non-compliance with HIPAA:
- Tier One is for willful violations of HIPAA that result in the unauthorized use or disclosure of PHI. The criminal penalties for non-compliance with HIPAA under Tier One are a fine of up to $50,000 and/or up to one year in jail.
- Tier Two is for willful violations of HIPAA under false pretenses – the “false pretenses” element distinguishing the violation from Tier One. Under Tier Two, the penalties are a fine of up to $100,000 and/or up to five years in jail.
- Tier Three is for willful violations of HIPAA under false pretenses with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm. In Tier Three, the maximum penalty a judge can impose is $250,000 and the maximum custodial sentence is ten years.
What are the Penalties for Non-Compliance with HIPAA? FAQs
How does OCR find out about non-compliance with HIPAA?
OCR finds out about non-compliance with HIPAA either by an individual making a complaint via the OCR complaints portal, or via the mandatory reporting of breaches when unsecured PHI has been disclosed impermissibly. An individual making a complaint does not necessarily have to be a patient who has been denied their access rights or the victim of a data breach. Anybody – including members of a Covered Entity workforce – can use the OCR portal to alert the agency to non-compliance with HIPAA.
Can HIPAA violations be criminal?
If a HIPAA violation reported to OCR involves an intentional “wrongful disclosure of individually identifiable health information”, OCR can refer it to the Department of Justice under §1320d-6 of the Social Security Act. As of September 2022, OCR has referred more than 1,500 cases to the Department of Justice for investigation; but, because many convictions are obtained using laws other than HIPAA, it is impossible to calculate the number of referrals that have resulted in criminal convictions.
Why might OCR issue a fine for as little as $3,500?
When calculating the amount of a fine, HIPAA stipulates that OCR has to take into account factors such as the non-compliant party´s ability to pay and the impact a substantial fine may have on the party´s ability to continue paying for, or providing, a healthcare service. Consequently, two businesses found non-compliant for exactly the same reason may be fined very different amounts.
How can individuals recover losses for a Covered Entity´s non-compliance with HIPAA?
Although there is no private right of action in HIPAA, some states have laws that enable individuals to bring claims against Covered Entities for a breach of implied contract. This type of claim can be complicated, and it has to be proved that an individual has suffered harm. Consequently, most claims of this nature tend to be class actions in which costs are shared between multiple claimants.
Why do some fines exceed the annual penalty limit?
Annual penalty limits are applied per violation type. Therefore, if an investigation into a data breach identifies multiple violations (i.e., failure to conduct a risk analysis, failure to train employees, failure to implement security measures, etc.) the annual penalty limit can be imposed for multiple times – even if a particular violation is not connected to the data breach being investigated.