The HIPAA 1996 (Health Insurance Portability and Accountability Act) is a federal law enacted by the U.S. Congress that regulates how healthcare organizations handle PHI (protected health information) and ePHI (electronic protected health information).
This includes complex and extensive rules for protecting critical medical data and sensitive patient information, so HIPAA non-compliance is often met with severe penalties.
Some cases of HIPAA violation include investigations of healthcare providers that have resulted in millions of dollars of fines. For example, one of the highest-ever settlements of a HIPAA fine was the 2018 Anthem data breach, in which the health plan corporation agreed to pay $16 million in fines to the HHS (Department of Health and Human Services). The series of cyber attacks on Anthem resulted in a PHI data breach affecting 79 million people.
Healthcare providers must be aware of the penalties that come with violating HIPAA compliance and the improper handling of patient data.
This guide aims to inform all HIPAA-compliant entities about HIPAA violations and cover both criminal and civil penalties. It will also cover liability, HIPAA violation tiers, maximum penalty costs, the severity of HIPAA breaches, and other useful info for healthcare organizations.
How HIPAA Regulates PHI Protection
To regulate how entities protect their medical data, the U.S. Department of Health and Human Services (HHS) created the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule under State and Federal laws.
- Under the HIPAA Privacy Rule, all HIPAA-covered entities and their business associates are required to protect all individually identifiable health information that they store, maintain, and transfer PHI.
- The HIPAA Security Rule focuses on ePHI. It requires all HIPAA-compliant healthcare entities to follow safeguards that focus on security policies, procedures, access controls for data storage, and communications for transmitting ePHI via open networks.
- The HIPAA Omnibus Rule requires HIPAA-covered entities — i.e., healthcare providers — to regularly update their Business Associate Agreements to ensure HIPAA Security Rule compliance.
- In case of a data breach involving PHI, which commonly occurs in a HIPAA violation, the HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to notify the HHS and involved parties “without unreasonable delay.” It considers a reasonable delay no more than 60 days after the discovery. The entity must inform a major media outlet if the breach involves 500 or more medical records.
What is PHI?
The HIPAA Privacy Rule defines PHI as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”
Individually identifiable health information includes all PHI (protected health information) of patients and health plan members, like treatment information, medical tests, prescription data, diagnoses, social security numbers, birth dates, race, ethnicity, phones, emails, and genders handled by healthcare services.
The medical data can be regarded as PHI only if a patient can be recognized from it. All other info from educational and staff member records is excluded. When every identifier from health system data linked to a patient is deleted, the data is no longer considered PHI.
All healthcare providers, business associates, and medical organizations that handle PHI must comply with HIPAA and its rules. These are called covered entities subject to law, and they also include health plans, healthcare clearinghouses, and Medicare-related entities and sponsors.
How HIPAA Compliance is Enforced
The Office for Civil Rights (OCR) investigates healthcare entities for possible violations and can receive complaints against covered entities and their business associates.
Once the OCR receives complaints, investigates the entity, and finds one or more violations, the OCR takes HIPAA enforcement actions and levies fines or imposes civil money penalties depending on the severity of the violation.
The Enforcement Rule has been revised between 1996-2009 and was further refined by the HITECH (Health Information Technology for Economic and Clinical Health Act).
While patients and entities may file complaints for violations, HIPAA is also enforced by the OCR via regular compliance reviews and investigations. Under the Enforcement Rule, as revised in 2006, the OCR may:
- Issue financial penalties
- Make corrective action plans
- Make resolution agreements to help covered entities maintain compliance with HIPAA
In some cases, HIPAA violation fines and penalties may also be issued by the state attorneys general.
Examples of Common HIPAA Violations
Common HIPAA violations that bear severe financial penalties include:
- Failure to implement HIPAA-compliant security steps and safeguarding procedures
- Failure to conduct an organization-wide risk analysis
- Failure to set a business associate agreement
- Improper PHI disposal
- Delayed breach notifications
HIPAA Violation Penalty Tiers
HIPAA penalties and fines result from failing to comply with HIPAA standards. Depending on the type and severity of the HIPAA violation, they can be civil penalties or criminal penalties. As assessed by the OCR, both categories are based on four graded tiers to determine the HIPAA violation penalty.
Commonly, the OCR resolves HIPAA breaches via non-punitive means like corrective action plans or voluntary compliance with technical assistance in addressing issues through a designated deadline.
However, if HIPAA violations are deemed severe enough, or the violations have been ongoing, the OCR may impose financial sanctions via the tiered penalty structure proportional to the violation.
If the offender is unaware that they have committed a HIPAA violation, they may be issued a civil penalty.
Civil penalties are usually imposed on employers for violations committed by their employees in healthcare organizations. If healthcare staff knowingly abuses PHI, it may be held under criminal liability.
Three factors determine the severity of the civil penalty:
- How easily the offender could have prevented the violation
- The covered entity’s level of neglect
- Which actions the covered entity took to correct the violation
If the covered entity cooperates fully, the penalty may be less severe. The civil penalty has four levels of monetary penalties. The first — lack of knowledge — is the least severe. The fines are adjusted for inflation as of December 2022.
Tier One: Lack of Knowledge
If the covered entity is unaware of the HIPAA violation and couldn’t have avoided it with reasonable steps, the violation is considered within the lack of knowledge tier, the lowest of the tiers.
- Minimum penalty per violation: $127
- Maximum penalty per violation: $30,487
- Calendar-year cap: $30,487
Tier Two: Reasonable Cause and Not Willful Neglect
If the covered entity was aware of a violation, but the violation wasn’t caused by willful neglect (meaning it couldn’t have prevented the violation even with reasonable steps), then this is regarded as a reasonable cause.
- Minimum penalty per violation: $1,280
- Maximum penalty per violation: $60,973
- Calendar-year cap: $121,946
Tier Three: Willful Neglect, Corrected Within 30 Days
Covered entities that have willfully neglected a violation but corrected it within 30 days with reasonable steps are penalized by the tier three severity level.
- Minimum penalty per violation: $12,794
- Maximum penalty per violation: $60,973
- Calendar-year cap: $304,865
Tier Four: Willful Neglect, Not Corrected Within 30 Days
The most severe of all four tiers of violation of HIPAA rules is considered when an entity willfully neglects HIPAA requirements and doesn’t correct a violation within the 30-day window.
OCR is aware that it’s unreasonable to penalize an organization for undiscovered HIPAA breaches if the organization wasn’t expected to avoid a data breach. That’s why the OCR has the discretion to waive a fine. However, the OCR cannot waive a penalty that involves willful neglect of the HIPAA rules of privacy, security, and breach notification.
- Minimum penalty per violation: $60,973
- Maximum penalty per violation: $1,919,173
- Calendar-year cap: $1,919,173
In addition to civil penalties, violating HIPAA may also result in criminal charges against any individual responsible for an adequately severe HIPAA breach.
If an entity obtains or uses PHI without permission, criminal penalties may follow. If the OCR determines that a HIPAA violation falls into the realm of criminal actions, the Department of Justice (DOJ) will take over the case.
Depending on the severity, criminal penalties range from severe fines to jail time. A judge from the DOJ measures the penalties and the length of imprisonment based on three criminal violation categories, each with their own financial penalties.
They apply to any entity that violates the HIPAA on criminal grounds. This includes board members, staff members, and any business associate related to the organization found to criminally violate HIPAA.
Moreover, if the entity profits from the theft, access, or misuse of PHI, the total cost of the profit may be included in the refund and the fine settlement.
Tier 1: Wrongful Disclosure of PHI
The lowest level of criminal violation is the wrongful disclosure of PHI. This covers 1) Cases of reasonable cause where an entity should have acted properly to resolve the violation and 2) Cases of lack of knowledge in which the entity wasn’t aware it violated a HIPAA rule.
The DOJ does not acknowledge failing to understand HIPAA regulations as a reasonable explanation for a HIPAA violation. All covered entities are deemed fully responsible.
The maximum penalties for wrongful disclosure are up to $50,000 in fines, up to one year in prison, or both.
Tier 2: Wrongful Disclosure of PHI Under False Pretenses
Obtaining or misusing PHI under false pretenses is regarded as Tier Two.
An example of this violation is a hospital staff member accessing patient records that aren’t under their care. Alternatively, consider an entity disclosing PHI without the patient’s permission.
The maximum criminal penalty for this tier can reach $100,000 in fines, five years of prison time, or both.
Tier 3: Wrongful Disclosure of PHI Under False Pretenses With Malicious Intent
Tier three includes the most severe violation in which an entity misuses or discloses PHI that they’ve wrongfully obtained with malicious intent for personal gain, financial gain, or malicious harm.
This may land criminally prosecuted bad actors in prison for up to ten years, penalize them up to $250,000, or both.
What is the Penalty for Not Reporting a HIPAA Violation?
In case of a HIPAA breach, all healthcare members are required to notify a HIPAA privacy officer or their designated supervisor immediately.
The privacy officer is responsible for investigating the HIPAA breach. They also provide additional guidelines and steps like advising the entity with risk assessment procedures and breach containment. The privacy officer determines the level of the breach and if it’s a reportable incident via risk assessment.
Entities must notify the HHS and all involved parties “without unreasonable delay” or up to 60 days after the discovery. If the breach involves 500 or more PHI records, the entity must also inform a major media outlet.
All entities that fail to notify the OCR, affected individuals, or a media outlet may be fined depending on the severity of the breach.
Is it a Felony to Violate HIPAA?
Criminal penalties for HIPAA violations are rare. Many HIPAA violations are regarded as misdemeanors. This is why the OCR focuses on addressing underlying reasons for HIPAA breaches and helps healthcare organizations achieve compliance.
HIPAA non-compliance rarely involves extreme cases of wrongful disclosure of PHI with malicious intent under false pretenses, which would constitute a felony. The violations usually result in financial sanctions and corrective steps. When HIPAA non-compliance violations do constitute a felony, the penalties can be much more severe, as outlined above.