The Health Insurance Portability and Accountability Act or HIPAA, is a federal U.S. law that protects the privacy and security of health information. HIPAA applies to healthcare providers, as well as their business associates who manage protected health information (PHI).
Violating HIPAA has profound consequences, and not knowing the rules is not justification for breaking them. When it comes to managing PHI, each party involved must tread carefully or face the risk of exorbitant fines, or even jail time.
This article lays out the potential fines and penalties for violating HIPAA and ways of mitigating the consequences.
HIPAA Violation Classification and Structure
HIPAA violations are classified based on the level of harm caused by the violation. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has established four categories of HIPAA violations based on their severity.
The fines for HIPAA violations in 2023 are:
- Tier 1: from $127 to $63,973
- Tier 2: from $1,280 to $63,973
- Tier 3: from $12,794 to $63,973
- Tier 4: from $63,973 to $1,919,173
*Annual Penalty Limit: $1,919,173
Keep in mind that these are the penalty ranges. The OCR sets the actual penalties based on specific circumstances, such as the extent of the harm, compliance history, and the level of cooperation with the investigation. The fines are adjusted for inflation each year.
What Happens if You Violate HIPAA?
A HIPAA violation occurs when a covered entity or business associate fails to adhere to one or more of the provisions outlined in the HIPAA Privacy, Security, or Breach Notification Rules.
HIPAA violations can surface through multiple channels:
- Patients who have had their PHI mishandled or inappropriately disclosed may become aware of violations.
- Healthcare employees may detect violations during regular audits or incident investigations.
- Government agencies, such as the Office for Civil Rights (OCR), may learn of violations through complaints or proactive compliance audits.
- Media outlets may uncover HIPAA violations and bring them to public attention.
Regardless of the source, violating HIPAA results in:
- Civil penalties: HIPAA violation fines range from $127 to $1,919,173 per violation.
- Criminal penalties: In cases of intentional or reckless violation of HIPAA, individuals can face criminal charges resulting in imprisonment of up to 10 years, as well as fines.
- Loss of licensure or accreditation: Healthcare providers that violate HIPAA often face the loss of licensure or accreditation.
- Reputational damage: HIPAA violations result in negative publicity and loss of trust from patients, clients, and the public.
- Lawsuits: Individuals whose PHI was exposed or misused due to a HIPAA violation can file a lawsuit against the responsible party, seeking compensation for damages.
Civil vs Criminal Penalties for HIPAA Violations
There are two main types of HIPAA violation penalties: civil and criminal.
The civil penalties covered above, incentivize compliance and are mostly issued to organizations. Criminal penalties act as deterrents and punishment for egregious violations and are usually reserved for individuals. The HHS primarily enforces civil penalties, while the U.S. Department of Justice (DOJ) enforces criminal penalties.
In rare cases, an organization may face both civil and criminal penalties for a single violation. For example, in cases where an organization knowingly and willfully violates HIPAA and the infraction results in patient harm, they will face both civil fines and criminal charges.
Additionally, individuals affected by a HIPAA violation may also file a class action lawsuit against the healthcare provider or business associate depending on the type and severity of the violation.
HIPAA Criminal Penalties
Similar to the OCR’s civil penalties, the DOJ divides criminal violations into three separate tiers based on the severity of the offense. The final decision is made by a judge based on the facts of each case.
The tiers of criminal penalties for HIPAA violations are:
- Tier 1: Individuals who knowingly violate the Privacy Rule by obtaining or disclosing PHI may face a fine of up to $50,000 and a maximum prison sentence of one year.
- Tier 2: If the offending party obtained PHI under false pretenses, the penalties increase to $100,000 and imprisonment for up to five years.
- Tier 3: Includes violations related to selling, transferring, or using PHI for personal gain, commercial advantage, or malicious harm and may result in fines of up to $250,000 and up to ten years in jail.
The Department of Justice has become increasingly proactive in pursuing those who knowingly breach HIPAA Rules. State attorneys general are also cracking down on data theft and making examples out of individuals found to have violated HIPAA, as the number of employees caught accessing or stealing PHI has increased in recent years.
The value of PHI on the online black market is high, making it a tempting target. To protect your business and ensure continuity, read our article on 19 cybersecurity best practices.
Examples of HIPAA Penalties and Settlements
Here are some real-life examples that show the unique and often unpredictable nature of HIPAA penalties and settlements:
New York Presbyterian Hospital
In 2013, the New York Presbyterian Hospital allowed a TV crew to film two patients for a medical reality TV show without obtaining their consent. Tragically, one of the patients died during the filming in the emergency room. The investigation uncovered that the healthcare facility allowed the film crew unrestricted access to the hospital, leading to the exposure of PHI. Consequently, the healthcare institution entered into a $2.2 million settlement with the OCR and committed to a corrective action plan to avoid similar incidents in the future.
In 2015, a series of cyber-attacks compromised the PHI of almost seventy-nine million people held by the health insurance provider then called Anthem. This data breach was one of the largest in history. Anthem settled a combined class-action lawsuit filed by the victims for $115 million in 2018. Furthermore, Anthem paid a penalty of $16 million to the OCR.
South Florida Memorial Healthcare System
The South Florida Memorial Healthcare System settled with the OCR in 2017 for $5.5 million after they disclosed that two employees unlawfully accessed and stole the PHI of more than 115,000 patients with the intent to sell the information. A comprehensive investigation discovered that a dozen staff members regularly misused the login credentials of former employees to gain unauthorized access to PHI between 2011 and 2021.
Touchstone Medical Imaging
In 2019, Touchstone Medical Imaging agreed to pay $3 million to the OCR to settle violations of the HIPAA Privacy and Security Rules. This settlement followed an OCR investigation into an incident that took place in 2014, in which an unencrypted laptop was stolen from one of the company’s vehicles. The laptop held PHI of over 300,000 patients.
Read our founder and CEO’s article to find out why the average cost of a data breach has reached an all-time high, and what you can do about it.
Who Issues HIPAA Violation Fines?
HIPAA violation fines are primarily issued by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). However, with the introduction of the HITECH Act of 2009, the state Attorney General also has the authority to impose additional fines. The maximum fine the Attorney General can impose is $25,000 per violation category, per calendar year, while the minimum is $100. When an organization experiences a breach that affects residents in multiple states, they may need to pay fines in those states as well.
Furthermore, in cases where a HIPAA violation is considered criminal in nature, the Department of Justice will prosecute the individuals involved.
While the Centers for Medicare and Medicaid Services (CMS) is not directly responsible for enforcing HIPAA, it does have a role in enforcing the HIPAA Administrative Simplification provisions relating to electronic health transactions and code sets, unique identifiers, and privacy and security standards for electronic PHI. The CMS also has the authority to impose civil monetary penalties for HIPAA Administrative Simplification violations, but it has not yet exercised this right, choosing to resolve violations by supplying technical aid and implementing corrective action plans instead.
Are HIPAA Breach Penalties Always Financial?
Only a small percentage of HIPAA investigations conducted by the OCR result in monetary penalties, with approximately 0.04% of cases resulting in fines. Similarly, State Attorneys General rarely issue fines for HIPAA breaches. Typically, most HIPAA breaches are addressed through voluntary compliance and technical aid.
These corrective actions often include implementing new policies and procedures meant to address the underlying issues that led to the violation in the first place. Depending on the nature of the breach, these measures may include staff training or supplying added resources to improve data security measures and address compliance gaps.
The OCR often formalizes its recommendations and requirements through a corrective action plan (CAP), which typically includes measures to ensure ongoing compliance with HIPAA regulations, such as regular monitoring or audits. However, failure to follow the CAP may result in a separate set of penalties, and entities must invest time and resources to address the violation and maintain HIPAA compliance.
Is Gmail HIPAA Compliant? Find out what healthcare organizations need to consider before using Gmail for PHI communication.
How to Avoid HIPAA Penalties
Data breaches can happen in many ways, from a lost laptop to a careless email. Investing in a zero trust security strategy is a proven way of reducing overall risk. Healthcare organizations should also consider arming themselves with hardened endpoint security, and network security.
However, determined hackers may still find a way into a network. As phishing attacks and ransomware increase in complexity, the risk of human error persists, making data breach prevention a challenge even for the most resilient systems.
A possible solution is implementing a security awareness training program for your staff. Employee onboarding must also include the basics of HIPAA compliance, such as the importance of confidentiality, and proper disposal of PHI when it's no longer needed.
Additionally, it's essential to implement procedures that guarantee that sensitive information is accessed and used only when necessary and by authorized personnel. For example, consider limiting access to PHI to a need-to-know basis, and enforcing email security best practices.
Learn how to effectively manage information security risks in your healthcare organization with our comprehensive guide on information security risk management.
In an increasingly digitized healthcare system, protecting sensitive information from unauthorized access is more important than ever.
Privacy laws are strict, and regardless of whether the intent behind a HIPAA violation is malicious or not, unauthorized access to protected health information can have serious consequences. Large fines and even imprisonment are a real possibility for those who share PHI without a valid reason, patient permission, or medical necessity.
To ensure that your organization is safe and HIPAA compliant, it's crucial to effectively monitor and safeguard all systems storing PHI. Additionally, you must provide your employees with adequate training to ensure they're aware of the legal requirements. By being proactive about HIPAA compliance, you can protect your organization from the dire consequences of HIPAA violations. Also, learn more about the key differences between HIPAA vs HITRUST, two critical frameworks that govern compliance in the healthcare industry.