What Are the Penalties for HIPAA Violations?

What Are the Penalties for HIPAA Violations?


  Imagine you have the best patients and coworkers in the world. But someone leaves a patient file out in the open, or you have a data breach. These HIPAA violations are serious and can affect your office in multiple ways. That's why you need to know the penalties for HIPAA violations so that you can prepare and avoid future issues. Read on to learn more about HIPAA penalties.

What Qualifies as a HIPAA Violation?

HIPAA has strict rules and regulations covering privacy and security. The rules apply to covered entities, such as doctors, nurses, medical office staff, and insurance companies. If a covered entity fails to comply with HIPAA rules, they can face harsh penalties. However, it's important to consider what could be a HIPAA violation. Talking about medical care with the parent of a child won't necessarily violate HIPAA. But gossiping about a patient after they leave the office can be a violation.

Intentional vs. Accidental

You should also consider if the HIPAA violation was intentional or happened by accident. Both are bad and can warrant penalties, but intentional violations are more serious. Intentional violations include sharing information with people who shouldn't access it. On the other hand, accidental violations include not logging out of a patient's medical records when leaving a workstation. Whether you're a provider, a medical office staff member, or a business associate, you should avoid both types of violations. While you may not face tough penalties after an accident, the risk isn't worth not complying.

Knowledge of HIPAA Guidelines

As a covered entity, you have to know and understand HIPAA regulations. Not knowing what can violate HIPAA is not an excuse for the violation. If you don't understand something, you could still face a penalty if you don't follow the rules. With updates to technology and HIPAA itself, you should always stay up to date. Staying on top of HIPAA could be as simple as taking a refresher course. That way, you can make sure you comply with HIPAA throughout your career in health care.

Criminal HIPAA Violations

Not all HIPAA violations are criminal, but some are, and they receive the right penalties. A lot of criminal HIPAA violations are intentional, so the perpetrator knowingly disobeyed the law. Making sure everyone in the office understands HIPAA won't necessarily stop criminal violations. But it's important to understand how criminal violations differ and how the differences affect the penalties for HIPAA violations.

Theft of Patient Information

Stealing patient information or accessing it inappropriately is a crime. This can include getting patient information with the intent to sell it to a third party. Examples of this theft include downloading protected health information (PHI) to a personal computer or using PHI to commit credit card fraud. People have gone to jail for those and similar crimes. Any access of PHI that isn't for clinical or business purposes is outside the scope of your job as a provider. You also shouldn't use PHI for personal reasons, even if you access it while treating a patient. Always log out of patient records when you aren't using them. Then, you can avoid being guilty of stealing patient information.

Wrongful Disclosures

Another major crime under HIPAA is the wrongful disclosure of patient information, usually with the intent to harm someone. When this happens, a person knowingly uses a unique health identifier, like a name or social security number. The person may obtain PHI or disclose it to another person that shouldn't have access to the information. If the information the person obtains or discloses comes from a covered entity, they can face severe punishment. People can face fines and jail time, and the amount can vary. The penalties for violating HIPAA will be higher if they fall under false pretenses. If the purpose of the offense is to use the PHI for harm or personal gain, the penalty will be even greater.

Penalties for HIPAA Violations

Penalties for HIPAA violations vary significantly. Factors that affect penalties include how serious the offense was and if it was an accident. If a violation goes on without any correction, it can also lead to a harsher punishment. Everyone working in health care is responsible for following HIPAA rules. Still, violations do happen, and there are four categories of violations and penalties.

Tier 1

The first category of violations includes those where the covered entity could not prevent the violation. Usually, the covered entity is also not aware of the violation and couldn't do anything to stop it. To fall under this category, the covered entity has to do whatever they can to protect PHI. If someone should have been aware of the violation, it would fall into the next group. Violations in this category face fines of $100 up to $50,000 per violation. Factors like the organization's financial status and any history of violations can affect the penalty.

Tier 2

If a covered entity should have known of the violation, it falls under the second category. However, the violation still may have been inevitable with enough care. Willful neglect of HIPAA rules does not fall into this category. You should do what you can to prevent the violation once you know it can happen. However, that can be hard. Penalties for HIPAA violations in this category range from $1,000 to $50,000 per violation. Like the first group, many factors can affect the specific fine.

Tier 3

When a violation occurs as a result of willful neglect of HIPAA rules, it falls under this category. The other qualifier is that you have attempted to correct the issue. That second part is what separates these violations from the fourth category. As a covered entity, you should always aim to keep PHI more secure. If you have this type of violation, the penalty ranges from $10,000 to $50,000 per violation. Things like the level of harm can affect the exact amount.

Tier 4

The most significant difference between the last category and this one is that violations in this group don't try to correct the issue. If you have a case of willful neglect and let the situation live on, that would fall into this category. Consistently leaving patient records out or not logging out of electronic records may fit here. This is the most serious type of HIPAA violation, so it has the biggest penalty. Each violation will face a minimum fine of $50,000. While other types may qualify for a waiver, these violations do not. Some of these violations may also result in jail time.

Who Issues Penalties?

When you violate HIPAA, you should consider who will issue the penalty. Multiple entities can issue penalties, and it can depend on the case. Many penalties for HIPAA violations go through the federal government. However, states also have the ability to issue fines. Your employer may also have an internal discipline system to hold employees accountable. Consider who can issue penalties for HIPAA violations.

Office for Civil Rights

The Office for Civil Rights (OCR) under the Department of Health and Human Services (HHS) handles penalties and violations. OCR prefers to resolve violations without handing out fines. Options include voluntary compliance and making sure the issue doesn't happen again. OCR may also issue technical guidance if the violation came from a data breach or something similar. With lower tier violations, OCR may even decide to waive the fine. This can happen if you can't control or avoid the violation. However, if other methods don't work, or with bigger violations, OCR will issue a fine. They will use your past history and the severity of the issue to set the fee you will need to pay and if you will get jail time.

Attorneys General

While not as common, state attorneys general can also issue monetary penalties for HIPAA violations. The introduction of the HITECH Act in 2009 gave attorneys general the ability to issue fees to covered entities. Attorneys general can file civil actions with federal district courts. Fines can range from $100 to $25,000 per violation category. Now, if the violation affected residents in multiple states, you may need to pay fines to each attorney general. That can add up, so it's important to stay in compliance. Most state attorneys general have yet to issue any HIPAA penalties. However, some have, and they may issue more in the future. When an attorney general issues a fine, their office can keep a portion of the fee.


Your employer can also choose to penalize any employee who violates HIPAA. Employers can use their discretion when giving penalties for HIPAA violations. In the case of a small violation, the employer may require the employees in question to receive HIPAA training. That way, the employees know what to avoid in the future. However, if the violations continue or if the first one is serious, employers may fire the guilty employees. In some cases, HIPAA penalties affect the organization rather than the individual. So if your employer has to pay a lot in violation fees, they may want to fire the people responsible. Then, the organization can put more money into improving security and providing patient care.

How to Avoid Violating HIPAA

Now that you know about the penalties for HIPAA violations, hopefully, you are more motivated to follow HIPAA regulations. Luckily, doing so isn't complicated, and it can help you perform your job even better. Whether you're a doctor, nurse, insurance agent, or a business associate, you should do what you can to avoid HIPAA violations. The exact things to do will vary based on your job. However, everyone in the health care field can do a few things. While you can't prevent all violations, these steps can prevent some of the more serious offenses.

Understand the Rules

Of course, the most important thing is that you know and understand HIPAA regulations. You should know about the Privacy Rule and the Security Rule. The Breach Notification Rule is also essential if your office faces a data breach. You don't have to be an expert on HIPAA, but you should know how it affects the way you do your job. Consider making a checklist to follow when working with PHI. The list could include using your unique username to access the files. Include steps to secure your computer when you're done so that no one else can use it. The better you can follow HIPAA rules, the less likely you'll violate them. A checklist may be unnecessary, but it can be a good tool for holding yourself and your coworkers accountable.

Complete a Risk Assessment

Next, you should complete a risk assessment for your medical office. Check everything from your technology to your physical safeguards. You should make sure you have a secure WiFi network to use when at work so that you can limit hackers. That way, you can keep PHI safe from outsiders. As you assess your risk of violating HIPAA, consider how you can mitigate that risk. Perhaps that means changing electronic settings to log users out after a few minutes of inactivity. Maybe you decide to upgrade your WiFi to a faster, more secure network. Do what you need to do to lower your security risk and protect PHI.

Train Employees

Another essential step is to make sure employees have up to date training on HIPAA, including administrative staff. Even if someone doesn't work with patients, they probably work with PHI. You should train new employees to make sure they know and understand HIPAA rules and how it applies to their job. But as things change, employees should continue to learn. Consider having the entire staff go through HIPAA training each year. That way, everyone can keep up with any changes. And if someone happens to forget part of the law, they can relearn it. You can train your staff, or you can have everyone take a HIPAA course. Then, you don't have to spend time reviewing HIPAA with employees.

Know the Penalties for HIPAA Violations

Violating HIPAA can result in anything from a small fine to jail time. That's why it's important to know the penalties for HIPAA violations. While you don't want to commit any violation, you should mitigate it. Then, you can lower your potential fines, and you can take steps to prevent future problems. Do you want some HIPAA training for you or your staff? Enroll in one of our HIPAA courses today.  


For 2022 Rules for Healthcare Workers, please click here.

For 2022 Rules for Business Associates, please click here.