HIPAA Violations: HIPAA Fines and HIPAA Penalties for Non-Compliance

A covered entity can be fined for HIPAA violations by HIPAA enforcement agencies. HIPAA penalties can be Civil and Criminal.

HIPAA sets severe penalties for non-compliance. The penalties may be:

  • Civil
  • Criminal
  • Financial
  • Imprisonment

Under “General Penalty for Failure to Comply with Requirements and Standards” of Public Law 104-191, the Health Insurance Portability and Accountability Act of 1996, Section 1176 says that the Secretary can impose fines for non-compliance as high as $100 per offense, with a maximum of $25,000 per year on any person who violates a provision of this part.
Under “Wrongful Disclosure of Individually Identifiable Health Information,” Section 1177 states that a person who knowingly:

  • uses or causes to be used a unique health identifier;
  • obtains individually identifiable health information relating to an individual; or
  • discloses individually identifiable health information to another person,
  • shall be fined not more than $50,000, imprisoned not more than 1 year, or both:
  • if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
  • if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

HIPAA Complains and HIPAA Enforcement Agencies

PART OF ADMINISTRATIVE SIMPLIFICATION

RESPONSIBLE FOR HIPAA ENFORCEMENT

Privacy

HHS Office for Civil Rights (OCR)
act Sheet: How to File a Health Information Privacy Complaint
Complaints, which must be submitted in writing within 180 days of unauthorized disclosure, can be faxed or mailed to the appropriate OCR regional office or sent via email.

Transactions and Code Sets

Centers for Medicare & Medicaid Services (CMS)
CMS and OCR will work together on outreach and enforcement and on issues that touch on the responsibilities of both organizations – such as the application of security standards or exception determinations.
CMS’Online Complaint Submission Form allows complaints to be submitted about covered entities’ non-compliance with the HIPAA transaction standards. Complaints can also be submitted on a paper-based form available by download from the site (PDF).

Security

Centers for Medicare & Medicaid Services (CMS)

Identifiers

Centers for Medicare & Medicaid Services (CMS)

HIPAA Penalties

Civil*

Monetary Tiers
Prison Time
Offenses

Tier A.

$100 to $25,000

NA
Single violation of a provision
provided the person did not
know, and by exercising
reasonable diligence would
not have known
, the person
violated HIPAA privacy
and security provisions
(“reasonable person”
concept)

Tier B

$1000 to $50,000

NA
Single violation of a provision
due to reasonable cause but
not willful neglect
.

Tier C

$10,000 to
$50,000

NA
Single violation of a provision
due to willful neglect and
timely corrected.

Tier D

$50,000

NA
If the violation is not
corrected timely
, penalty for
each violation is $50,000.

Criminal (maximum penalties)

Monetary Tiers
Prison Time
Offenses

Up to
$50,000

Up to one
year
Wrongful disclosure of individually
identify able health information.

Up to
$100,000

Up to five
years
Wrongful disclosure of individually
identify able health information
committed under false pretenses.

Up to
$250,000

Up to ten
years
Wrongful disclosure of individually
identify able health information
committed under false pretenses
with intent to sell, transfer, or
use for commercial advantage,
personal gain, or malicious harm.

New
categories

 
Release of PHI without
authorization
Willful Neglect (effective 2/17/12)

Enforcement by State Attorneys General

It is very important to remember that, at the discretion of the Office of Civil Rights, any of the civil penalties in Tiers A-D may be increased to $50,000 per violation and up to $1,500,000 per calendar year for the same type of violation. With the inclusion of HITECH and Omnibus, all civil tiers are capped at $1,500,000 each.

If DHHS has not already begun to take action, the attorney general may bring a civil action on behalf of such residents in a federal district court:

  • To enjoin the defendant from further violations; and
  • To obtain damages equal to $100 for each violation, not to exceed $25,000 for all violations of an identical requirement during a calendar year.

The court may also award the state attorneys general fees and costs.