- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: Health Insurance Portability and Accountability Act (HIPAA) regulations are extensive and complex. But non-compliance can cost organizations big—with some HIPAA violation fines adding up to millions of dollars. This article breaks down the different HIPAA penalties—including civil and criminal penalties—and the maximum penalties for HIPAA violations. Find out who is liable under HIPAA, what the most common HIPAA violations are, and how to ensure compliance and prevent HIPAA violations in your own organization.
What Are the Penalties for HIPAA Violations?
HIPAA violation fines and penalties result from failing to comply with HIPAA rules. They can result in civil and criminal penalties, depending on the type and severity of the violation. Fines for HIPAA violations range between minimum and maximum amounts and have a calendar-year cap of $1,919,173 for multiple violations of an identical HIPAA provision.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces HIPAA through regular audits and investigations after a complaint or breach. Since the Enforcement Final Rule of 2006, OCR can issue financial penalties and make corrective action plans and resolution agreements to ensure the covered entity achieves HIPAA compliance. The state attorneys general can also issue HIPAA violation fines and penalties.
OCR typically prefers to resolve violations through non-punitive measures, such as voluntary compliance and corrective action plans. However, when HIPAA violation fines are necessary, OCR follows a tiered penalty structure to assess the severity of the violation and issue a proportional penalty.
Who is liable?
Any person or entity that handles protected health information (PHI) must comply with HIPAA rules, including:
- Health plans
- Health care clearinghouses
- Health care providers
- Medicare prescription drug card sponsors
- Business associates (individuals or entities that handle PHI)
HIPAA violations by the numbers
Take a look at the following numbers related to HIPAA violations as reported by the HHS:
- OCR has received over 296,419 HIPAA complaints and has initiated over 1,129 compliance reviews since the Privacy Rule was implemented in April 2003.
- Of the over 29,525 cases OCR has resolved, OCR required changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA-covered entities and their business associates.
- As of April 2022, OCR settled or imposed a civil money penalty in 110 cases, totaling $131,563,132.00.
- 50,790 cases did not require investigation because OCR intervened early and provided technical assistance to HIPAA-covered entities to achieve compliance.
- 193,388 complaints did not present an eligible case for enforcement.
- In 13,820 cases, OCR investigations found no violation had occurred.
HIPAA Violation Penalty Tiers
So what are the consequences of violating HIPAA? They depend on the type and severity of the violation. The two types of violations are civil and criminal. Each category has graded tiers to determine penalties for HIPAA violations.
OCR assesses a case and the covered entity’s liability based on four tiers of increasing culpability. Each tier has minimum and maximum penalty amounts and an annual cap on penalties for multiple violations of the same provision. The following list of HIPAA fines is based on the most recent numbers released in March 2022 and are adjusted for inflation.
Tier 1: Lack of knowledge
The covered entity or business associate was unaware of and, through due diligence, could not have known the HIPAA rule was violated.
- Minimum penalty (per violation): $127
- Maximum penalty (per violation): $63,973
- Calendar-year cap: $1,919,173
Tier 2: Reasonable cause and not willful neglect
The covered entity knew or should have known through due diligence that its action (or omission) violated HIPAA, but the violation was not caused by willful neglect.
- Minimum penalty (per violation): $1,280
- Maximum penalty (per violation): $63,973
- Calendar-year cap: $1,919,173
Tier 3: Willful neglect, corrected within 30 days
The violation was caused by willful neglect, but the covered entity took corrective action within 30 days.
- Minimum penalty (per violation): $12,794
- Maximum penalty (per violation): $63,973
- Calendar-year cap: $1,919,173
Tier 4: Willful neglect, not corrected within 30 days
The violation of HIPAA rules constituted willful neglect, and the entity made no attempt to correct the violation within 30 days.
- Minimum penalty (per violation): $63,973
- Maximum penalty (per violation): $1,919,173
- Calendar-year cap: $1,919,173
Employers usually receive civil penalties for violations committed by their employees who work in health care. But not always. If healthcare professionals knowingly misuse or unlawfully obtain PHI, they are held criminally liable.
The Department of Justice (DOJ), not the OCR, handles criminal penalties for HIPAA violations. Criminal penalties can range from fines to jail time depending on severity. A judge determines the penalties based on three categories of criminal violations.
Tier 1: Wrongful disclosure of PHI
This tier is the lowest-level violation. It covers cases of reasonable cause, in which the individual should have known better, and lack of knowledge, where the individual didn’t know they violated a rule. The DOJ doesn’t acknowledge ignorance of HIPAA regulations as an excuse for violating HIPAA rules because all covered entities are responsible for compliance.
Maximum penalty: Up to $50,000, up to one year in prison, or both.
Tier 2: Wrongful disclosure of PHI under false pretenses
This tier includes obtaining PHI under false pretenses or disclosing it without permission. For example, a hospital employee cannot access the records of patients who aren’t under their care.
Maximum penalty: Up to $100,000, up to five years of prison time, or both.
Tier 3: Wrongful disclosure of PHI under false pretenses with malicious intent
The most severe violation is when the individual who commits the crime wrongfully obtains PHI with the intent to sell, transfer, or use the data for personal gain, commercial advantage, or malicious harm.
Maximum penalty: Up to $250,000, ten years of prison time, or both.
Most Common HIPAA Violations
Financial penalties most commonly result from the following HIPAA violations:
- Failure to perform an organization-wide risk analysis
- Failure to enter into a HIPAA-compliant business associate agreement
- Wrongful disclosures of PHI
- Delayed breach notifications
- Failure to safeguard PHI
HIPAA compliance is based mostly on properly securing private data, especially with cyber attacks at an all-time high. Health care organizations, in particular, have massive amounts of data, making them a target for many bad actors. While a breach can reveal HIPAA violations, it’s not considered a violation on its own.
As a goal, compliance reduces the risk of a breach to acceptable levels through due diligence. OCR assesses the nature of a breach and investigates possible weaknesses from noncompliance.
Learn more about the most common HIPAA violations.
Types of HIPAA Violations
HIPAA violations come in an array of types. Let’s take a look at a few of the main ones.
Intentional versus accidental
Not all violations are intentional. Even otherwise-compliant organizations make mistakes, such as accidentally disclosing PHI to the wrong person or persons. In this case, the person or persons who discover the violation must report it to the organization’s privacy officer. The privacy officer then evaluates the situation to determine the scope of the breach and critical actions to reduce risk and prevent future harm.
Depending on the nature of the violation, the organization might be required to report it to OCR. Failure to report a violation can result in penalties.
When assessing the violation, OCR determines the severity based on the tier system. The civil penalty for unknowingly violating HIPAA falls under Tier 1. But accidental disclosures can fall under other tiers depending on the situation.
Accidental violations include:
- A health care employee accidentally viewing the records of a patient. For example, they intended to pull the file for another patient and opened the wrong record.
- An employee sends a fax or email containing PHI to the wrong recipient.
- A staff member discusses treatment plans with a patient in a waiting room or in front of other people without the patient’s permission.
- Computer monitors are angled so that unauthorized individuals might see PHI.
Knowledge of HIPAA guidelines
Some violations occur with knowledge of breaking HIPAA guidelines. These violations range in severity, depending on the intent of the individual or entity. Common examples of this type of violation include:
- Gossiping about a patient’s PHI outside the organization or with unauthorized individuals.
- Accessing a patient’s records without permission, such as looking up a family member’s records.
- Accessing PHI with intent to sell it for profit or personal gain.
A recent case that was resolved in 2021 involved Jennifer Lynne Bacor, a patient care technician at a Cedar Rapids hospital. She used her login credentials to access her ex-boyfriend’s PHI multiple times—even though he wasn’t one of her patients—after he was treated at the hospital on various occasions. Upon accessing his information, Bacor took a picture of a medical photograph that she then shared with a third party. The third party shared the photo with the ex-boyfriend and others in a Facebook message along with “taunting language and emojis.”
Bacor was sentenced to five years of probation and fined $1,000 as punishment for violating HIPAA and “weaponizing” her boyfriend’s private medical information. Bacor was also restricted from any employment that would grant her access to private medical information of others during her probationary period.
Criminal HIPAA violations
Violating HIPAA can result in criminal penalties, depending on the severity and intent of the breach. Criminal violations typically involve accessing patient records for personal gain or commercial advantage or sharing PHI with intent to do harm. For example, they might involve taking social security numbers and birth dates to commit identity fraud. Criminal penalties are less common than civil monetary damages for HIPAA violations.
For example, in 2019, the DOJ charged a former patient coordinator, Linda Sue Kalina, with wrongfully disclosing the health information of another individual. During her employment, Kalina improperly accessed 111 patient records. She “unlawfully disclosed personal gynecological health information related to two such patients, with intent to cause those individuals embarrassment and mental distress.” Kalina was sentenced to one year of imprisonment, followed by three years of supervised release.
Theft of patient information
Lost or stolen patient information can occur when an employee accesses and steals the PHI on file or when records are left unsecured. For example, a medical professional might leave an unencrypted thumb drive loaded with patient information at a coffee shop where it’s stolen by a third party. Another example is if a medical office is burglarized.
Theft can also occur through a cybersecurity breach due to access failures like compromised credentials or poor security infrastructure. In 2021, over 550 organizations reported health care data breaches to HHS, affecting more than four million people. The 10 largest breaches all involved hacking or IT incidents, with the majority occurring on the organization’s network server.
Wrongful disclosures cover civil and criminal liabilities based on severity. HIPAA violation penalties for employees that wrongfully disclose PHI can include HIPAA fines up to $250,000 and 10 years in prison for criminal violations. However, wrongful disclosure can be as simple as neglecting to get a patient’s signature on a HIPAA release form before releasing the information to a third party.
The OCR and HHS may settle cases with covered entities and business associates through resolution agreements. These agreements can include a HIPAA violation lawsuit payout and obligations to perform corrective actions and submit reports to HHS—typically for three years.
For example, in one recent case, the Children’s Hospital & Medical Center (CHMC) agreed to take corrective actions and pay $80,000 to settle a potential violation of the HIPAA right of access standard. If HHS can’t reach a satisfactory resolution agreement with the covered entity, it can impose civil monetary penalties for noncompliance.
How to Avoid HIPAA Violations
Covered entities and business associates that have access to PHI must implement and adhere to the technical, physical, and administrative safeguards outlined in HIPAA. They must also comply with the HIPAA Privacy Rule and HIPAA Security Rule to protect the integrity of PHI.
The HIPAA Privacy Rule addresses the use and disclosure of PHI and establishes safeguards to protect it. It also gives patients the right to access their medical records and obtain copies on request in a reasonable timeframe. The HIPAA Security Rule specifically addresses the use and protection of PHI that was created, received, maintained, or transmitted electronically.
To comply with the HIPAA Security Rule, the CDC requires all covered entities to:
- Ensure the confidentiality, integrity, and availability of all electronic PHI (ePHI).
- Detect and safeguard against anticipated threats to the security of the information.
- Protect against anticipated impermissible uses or disclosures.
- Certify compliance by their workforce.
Of course, these requirements are easier said than done. While external cyber attacks continue to increase—with healthcare organizations as a top target—covered entities must manage risks both inside and outside their organizations. In fact, 58% of incidents involved insiders, rather than external threats.
For example, a HIPAA violation where someone’s PHI is disclosed is often the result of human error rather than malicious intent. These compliance errors are most commonly the result of:
- Improper disposal
- Data loss
Besides human error, be on the lookout for the following common violations:
- Lack of encryption
- Data breaches caused by a security hack or phishing attack
- Unauthorized access
- Improper disposal of records
- Loss or theft of devices
To prevent violations—and HIPAA violation consequences—secure PHI at every level by applying the following best practices.
1. Review current data security practices
To achieve compliance, understand your security landscape. Review current security practices and systems to identify vulnerabilities and gaps in compliance. Formally conduct any required audits and assessments and review and document the results. This review sets the foundation for a systematic compliance plan.
2. Conduct routine monitoring of record access
As part of ongoing compliance practices, conduct routine monitoring of all recorded access involving PHI. Regular monitoring helps detect any errors or violations early so you can mitigate the impact and correct the incident.
3. Implement access control
For ePHI, access control is essential to securing data across your organization’s network. For this level of control, assign unique logins for each user and establish procedures to govern the release or disclosure of ePHI in case of emergency. Also, as part of any access control program, implement system-wide audit controls and activity logs to record access and attempted access. After accessing the data, log how the data is used.
4. Enable full disk encryption
Encrypting files is essential to achieving HIPAA compliance and protecting private records. Enable full disk encryption (FDE) as an effective, low-cost method of securing sensitive data. FDE encrypts data on a device, protecting the information even if the device is lost or stolen. For end-to-end protection, take time to review your organization-wide encryption policy.
5. Train employees on HIPAA standards and best practices
To reduce human-error violations and prevent negligent practices, train all employees on HIPAA standards and policies. Conduct training annually for all employees and during onboarding for all new employees.
Training helps employees who handle PHI to recognize and avoid malware and cyber attacks, such as phishing. It also helps ensure proper handling of digital and physical records, such as disposal procedures.
How StrongDM Helps You Avoid Penalties for HIPAA Violations
The consequences of violating HIPAA can be costly. To protect your organization and data, start with comprehensive access management from StrongDM.
This access platform gives your organization the ability to:
- Centrally manage authentication.
- Implement least-privilege access based on roles.
- Connect users to the resources they need from anywhere.
- Capture and record all queries and commands in every session across your entire stack.
Managing permissions across an organization can be time-consuming and error-prone. But StrongDM takes the guesswork out of access management. It automates least-privilege access to the systems your users need so only authorized users handle PHI.
Plus, StrongDM centralizes all log collections—including query logs, web logs, and activity logs—in one place. This single location enables faster audit response times and comprehensive monitoring, so you always know when and how PHI is accessed and used.
See how StrongDM’s infrastructure access platform can help you avoid HIPAA violations by signing up for our 14-day free trial.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.