What Happens if you Violate HIPAA?

What Happens if You Violate HIPAA? HIPAAGuide.net

What happens if you violate HIPAA depends on the nature of the violation and its consequences, the motive behind the violation, the measures taken to mitigate the consequences, and whether you are a HIPAA-regulated entity or a member of a regulated entity’s workforce. It can also make a difference to what happens if you violate HIPAA who the violation is reported to.

Because of the many potential outcomes, it is not possible to provide a definitive answer to what happens if you violate HIPAA. To simplify the potential outcomes, this article separates HIPAA violations by workforce members and HIPAA violations by covered entities and business associates into two sections – starting with HIPAA violations by workforce members.

What Happens if You Violate HIPAA as a Workforce Member?

If you are a member of a HIPAA-regulated entity’s workforce, the covered entity or business associate for whom you work is required to provide you with a copy of their sanctions policy. The sanctions policy explains what happens if you violate HIPAA or any other workplace policy. However, each HIPAA-regulated entity has the flexibility to develop their own sanctions policy and the sanctions for each type of violation or repeated violations.

While there is no one-size-fits-all sanctions policy that determines what happens when you violate HIPAA, most sanctions policies have a tiered structure that divides HIPAA violations according to the degree of culpability. For example:

Tier 1 Violations

Tier 1 violations are violations attributable to a lack of knowledge or a lack of care that are minor in nature and have minor consequences. The possible sanctions for Tier 1 violations include verbal warnings and/or refresher training.

Tier 2 Violations

Tier 2 violations are those with more sinister motives (i.e., snooping on patient records) or that have more significant consequences (i.e., a data breach). The possible sanctions for Tier 2 violations include written warnings and/or suspension.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Tier 3 Violations

Tier 3 violations are usually deliberate violations or repeated Tier 2 violations. Depending on the individual’s previous compliance history, the possible sanctions for Tier 3 violations include termination of contract and/or loss of license.

It is important to be aware that all violations of HIPAA by workforce members that result in an impermissible disclosure of unsecured Protected Health Information (PHI) must be notified to HHS’ Office for Civil Rights. If the motive behind the violation is personal gain or malicious harm, HHS’ Office for Civil Rights can refer the notification to the Department of Justice to pursue a criminal conviction under §1177 of the Social Security Act.

HIPAA Violations by Covered Entities and Business Associates

Nobody knows the true scale of HIPAA violations by covered entities and business associates because the only public sources of information are HHS’ Office for Civil Rights (OCR) and Centers for Medicare and Medicaid Services (CMS). OCR enforces HIPAA compliance with the Privacy, Security, and Breach Notification Rules, while CMS enforces HIPAA compliance with Part 162 of HIPAA (Transactions and Code Sets, Operating Rules, etc.).

From the data available as of December 31, 2023, it is known that OCR receives around 5,000 justified reports of HIPAA violations each year (excluding data breaches) and CMS receives fewer than 100 justified reports of HIPAA violations. The majority of HIPAA violations by covered entities and business associates are resolved via technical assistance and corrective action plans. Very few complaints are resolved with civil monetary penalties.

An even smaller proportion of HIPAA data breaches are resolved by civil monetary penalties. In 2021 – the most recent data currently available – OCR received 64,180 notifications of data breaches, yet only two enforcement actions were settled with civil monetary penalties and only 554 corrective action plans were applied. The remaining notifications were “closed” due to OCR receiving assurances the causes of the breaches had been addressed.

However, while it would appear that very little happens if you violate HIPAA as a covered entity or business associate, that is not the case. Technical assistance can incur expenses, and corrective actions plans require the revision of policies and procedures, the implementation of additional Security Rule safeguards, and the provision of refresher HIPAA training. In indirect costs alone, it can cost millions of dollars to comply with a multi-year corrective action plan.

Why it is Best to Avoid Violating HIPAA

Because what happens if you violate HIPAA as a workforce member can vary from a verbal warning to loss of employment, a significant fine, and a prison sentence (if convicted of a HIPAA felony violation), it is best to comply with your employer’s workplace policies and avoid violating HIPAA regardless of the motive.

For covered entities and business associates who violate HIPAA, although it may seem the penalties for HIPAA violations are non-financial in most cases, technical assistance and corrective action plans can incur significant indirect costs. In addition, the measures implemented to comply with corrective action plans can result in negative patient outcomes.

Workforce members who are unsure about their employer’s workplace policies and the sanctions for violating them should speak with the organization’s HIPAA Privacy Officer. Covered entities and business associates who are unsure they comply with HIPAA should download our HIPAA compliance checklist or seek professional compliance advice.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/