The penalties for non-compliance with HIPAA vary considerably according to the nature of the non-compliant event, the degree of culpability, the harm the event has caused, the compliance history of the individual or organization, and their cooperation with investigations conducted by HHS´ Office for Civil Rights, State Attorneys General, and the Department of Justice.
As of March 2022, the HHS Office for Civil Rights has investigated and resolved nearly thirty thousand cases of non-compliance with HIPAA. A further fifty thousand cases have been resolved without an investigation inasmuch as the Office for Civil Rights intervened at an early stage and provided technical assistance to Covered Entities and Business Associates.
In the majority of these cases, the penalties for non-compliance with HIPAA have consisted of changes in privacy practices and corrective actions – which, although non-financial penalties, require Covered Entities to dedicate resources to risk assessments, policy development, and workforce training. In many cases, compliance is monitored for months or years.
To date, only 110 investigated cases have resulted in civil financial penalties for non-compliance with HIPAA. These have ranged in dollar values from $3,500 to $16 million – but, in the latter case, the non-compliant Covered Entity also paid $48.2 million to settle a multi-state investigation by State Attorneys General, plus a further $115 million to settle a class action lawsuit.
How Civil Financial Penalties are Calculated
Civil financial penalties for non-compliance with HIPAA are calculated using a four-tier scale. Each tier represents a degree of culpability; and, within each tier, there are minimum and maximum amounts the Office for Civil Rights can issue as fines per violation. There is also a maximum amount the Office of Civil Rights can fine a Covered Entity or Business Associate per year per violation type.
The likelihood of the Office for Civil Rights issuing a fine – and the amount of the fine within each tier – can be influenced by the nature of the non-compliant event, the compliance history of the individual or organization, and their cooperation in an investigation. For this reason, two Covered Entities might violate HIPAA in exactly the same way but receive significantly different fines.
Since the passage of the HITECH Act in 2009, State Attorneys General have had the authority to hold HIPAA-covered entities accountable for the unauthorized disclosure of PHI belonging to state residents. State Attorneys General can issue fines of between $100 and $25,000 per violation per unauthorized disclosure in addition to any fine issued by the Office for Civil Rights.
Criminal Penalties for Non-Compliance with HIPAA
If the Office for Civil Rights receives a complaint or conducts an investigation which may involve a criminal violation of HIPAA, the case is referred to the Department of Justice. The Department of Justice can pursue a criminal conviction if there is evidence that an individual or organization “knowingly” disclosed or obtained individually identifiable health information in violation of HIPAA.
Cases referred to the Department of Justice most usually concern the theft of patient data for financial gain and unauthorized disclosures of PHI with the intent to cause harm. In these circumstances, “knowingly” refers to knowledge of the facts that constitute the offense – not that the individual or organization has knowingly violated HIPAA.
Similar to the way in which civil financial penalties are calculated, a tiered structure exists for criminal penalties for non-compliance with HIPAA:
- Tier One is for willful violations of HIPAA that result in the unauthorized use or disclosure of PHI. The criminal penalties for non-compliance with HIPAA under Tier One are a fine of up to $50,000 and/or up to one year in jail.
- Tier Two is for willful violations of HIPAA under false pretenses – the “false pretenses” element distinguishing the violation from Tier One. Under Tier Two, the penalties are a fine of up to $100,000 and/or up to five years in jail.
- Tier Three is for willful violations of HIPAA under false pretenses with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm. In Tier Three, the maximum penalty a judge can impose is $250,000 and the maximum custodial sentence is ten years.