Violations of the Health Insurance Portability and Accountability Act could lead to a multitude of severe punishments.
At a minimum, a violation can lead to fines. Worst case? Violators could face imprisonment.
When it comes to enforcing this regulation and investigating compliance with it, the Department of Health and Human Services (HHS) of the Office for Civil Rights (OCR) is responsible.
The OCR is the primary federal department responsible for investigating and resolving breaches of HIPAA. It enforces the HIPAA Privacy Rule, Security Rule and Breach Notification Rule by investigating any complaint filed with the organization. It also conducts audits to determine if a covered entity is abiding by HIPAA’s safeguards.
When a breach occurs, the OCR reviews the information provided by the “delinquent” organization and conducts its own investigation. This investigation can lead to a variety of results.
If the OCR determines that a covered entity didn’t violate the HIPAA Privacy Rule or Security Rule, nothing happens.
If they determine that there wasn’t compliance with HIPAA, the OCR will attempt to resolve the situation in one of three ways (via AMA)…
Voluntary compliance
Corrective action
Resolution agreement
Depending on the circumstances and the severity of a breach, a covered entity or individual could face civil and/or criminal penalties. If deemed criminal, the OCR may forward a case to the Department of Justice (DOJ) for investigation.
If the OCR determines that your organization violated HIPAA, how much of a fine could you anticipate? It depends.
The truth is that both civil and criminal penalties may involve monetary fines. Depending on the level of the breach, the monetary fines vary. Let’s break these down.
Table of Contents
HIPAA Fine Origins
Before going over the different dollar amounts associated with each tier, it’s important to understand the history behind how they came into existence.
In order to understand that, we need to rewind the clock all the way back to 2009 when President Obama signed the HIPAA HITECH Act into law. More specifically, the HITECH Act existed as a part of the American Recovery and Reinvestment Act of 2009 (ARRA).
Section 13410 of ARRA spelled out and aligned fines associated with HIPAA violations based on culpability.
Since then, the categories of violations associated with fines haven’t changed…
Tier 1: Lack of Knowledge
Tier 2: Reasonable Cause
Tier 3: Willful Neglect, Corrected in 30 Days
Tier 4: Willful Neglect, Not Correct in 30 Days
What has changed, though, is the monetary value associated with each fine (more on that later).
In May of 2019, the HHS released the document 45 CFR Part 160. At the time, this document’s release was a big deal. It changed the annual limit associated with each tier of penalty.
Prior to that adjustment, the annual limit associated with each tier was $1.5 million. 45 CFR Part 160 aligned the annual limits to better match the increasing levels of culpability…
Tier 1: Capped at $25,000 per year
Tier 2: Capped at $100,000 per year
Tier 3: Capped at $250,000 per year
Tier 4: Capped at $1.5 million per year
It’s also important to understand that the fines associated with each tier aren’t stagnant. To explain this point we have to look even further back in the past with the signing of The Federal Civil Penalties Inflation Adjustment Act of 1990.
In a nutshell, the Act required government agencies to adjust monetary penalties according to inflation. By 1996 the Act received an amendment detailed in the Debt Collection Improvement Act of 1996 (DCIA).
The amendment brought forth by DCIA required that the inflation adjustment to monetary fines occurred at least once every 4 years.
The next major amendment to the Federal Civil Penalties Inflation Adjustment Act didn’t happen until 2015.
The 2015 amendment required inflation adjustments for fines to happen on an annual basis, based on requirements laid out in U.S.C 553.
So where does that put us today?
On March 17, 2022, the Federal Register Vol. 87, No. 52 detailed the latest changes to HIPAA violation fines according to a calculated inflation rate.
The multiplier associated with this round of fine increases was 1.06222 percent.
HIPAA Civil Penalties
Noncompliance can lead to a variety of scenarios within the realm of civil penalties. The degree of punishment hinges on three factors. The level of…
Preventability
Neglect
Actions taken to correct the situation promptly
When it comes to civil penalties, the resolution agreement will often involve fines.
What does a civil fine for a HIPAA violation entail?
Depending on the cooperation of the covered entity and the severity of the breach, the size of the fine will differ. Each of the four levels of civil penalties has a minimum and maximum monetary fine associated with the tier.
Civil Tier 1: Lack of Knowledge
If an incident falls into a tier-one HIPAA civil violation, it needs to meet the definition of unknowingly breaching HIPAA. A tier one violation is one where a covered entity or business associate was unaware of the breach and could not have realistically avoided the incident. Because the covered entity could not avoid this kind of breach, the OCR may use its discretion and waive a financial penalty.
Additionally, the HHS must deem that the covered entity took a reasonable amount of care to abide by HIPAA Rules.
This could mean that the covered entity regularly trains its employees about the various HIPAA rules, including the Privacy Rule, the Security Rule, the Omnibus Rule, the HITECH Act, and other related topics.
It could also mean that the covered entity had safeguards in place to prevent breaches from occurring. Proving these safeguards exist would show that the covered entity took care to abide by the HIPAA regulations.
So, what is the fine for this kind of HIPAA violation?
According to the original version of the HITECH Act, a covered entity could receive a minimum fine of $100 at the minimum and $50,000 at the maximum per violation. The cap for penalties in a single calendar year is $50,000.
As I alluded to earlier, the value of a dollar in 1996 is not the value of a dollar today.
In today’s economy, a covered entity can receive a minimum fine of $127 for a tier-one penalty. On the other hand, it can receive a maximum fine of $63,973 per violation.
Civil Tier 2: Reasonable Cause
A tier two violation is often called the “reasonable cause penalty”. In this type of violation, a covered entity or business associate should’ve known of the breach when it happened. However, even if the entity took a reasonable amount of care, it couldn’t have avoided the breach.
What does this mean?
This means that despite the violator's best efforts, the breach was bound to happen. The organization at fault educated and trained its employees rigorously and there were safeguards and checks in place to ensure compliance. Despite this reasonable amount of care, the breach STILL occurred.
Tier two doesn’t fall into the category of willful neglect.
So, what is the fine for this kind of HIPAA violation?
According to the original HITECH Act, a tier two violation led to a minimum fine of $1,000 per violation. The maximum amount per violation was $50,000. The cap for penalties in a single calendar year was $100,000
After the recent inflation adjustment, the minimum penalty is $1,280 per violation. The maximum penalty per violation is $63,976. The penalty cap for a calendar year is $1,919,173 in 2022 dollars.
Civil Tier 3: Willful Neglect, Corrected in 30 Days
After tiers 1 and 2 the violation fines we start getting into willful neglect.
Tier 3 happens when an organization willfully neglects HIPAA’s rules. In other words, the entity didn’t train employees regularly and didn’t have the proper checks and policies to prevent breaches.
What separates tier-three from the last tier is the cleanup. If an entity attempts to correct the violation within the required time period (30 days), the HHS will classify the breach as a tier-three violation.
So, what is the fine for this kind of HIPAA violation?
Willfully neglecting HIPAA laws and regulations increases the fines tenfold. The minimum penalty per violation according to the original HITECH act was $10,000. This was ten times the minimum for a tier two violation. The maximum penalty per violation was still $50,000, though. The cap for fines issued to a covered entity within a single calendar year was $250,000.
When adjusted for over a decade’s worth of inflation, the minimum penalty is $12,794 per violation in today’s economy. The maximum penalty per violation is $63,973. The adjusted cap for the calendar year is $1,919,173.
Civil Tier 4: Willful Neglect, Not Correct in 30 Days
Naturally, tier 4 is the most severe HIPAA civil violation tier. Tier four involves willfully neglecting HIPAA rules and regulations. An organization landing in this tier means that it didn’t attempt to correct the violation within 30 days of the breach.
The minimum fine per violation for a tier four breach was $50,000 in 1996 dollars.
When adjusted for inflation, the minimum penalty per violation in today’s currency is $63,973. The maximum per violation is $1,919,173, which is also the cap for the fines issued within a calendar year.
HIPAA Criminal Penalties
If the OCR determines that a HIPAA violation falls into the realm of criminal actions, the DOJ will take over the case.
There are three different levels of severity, each with its own monetary fines.
These criminal penalties can apply to anyone who criminally violates HIPAA. This includes directors, employees, or officers for a covered entity.
It also doesn’t matter the type of covered entity involved in the criminal breach. Health plans, healthcare clearinghouses, health care providers who transmit electronic claims, and Medicare prescription drug card sponsors are all liable.
If the DOJ determines that you criminally violated HIPAA, what the are fines and penalties associated with it?
Ultimately, a judge decides the length of imprisonment and the fine imposed. The more severe the situation, the larger a fine the judge can award. However, there are some limitations set for the maximum sentencing. Below are the regulations.
Criminal Tier 1: Reasonable Cause
This first tier of criminal penalties for HIPAA violations deal with what’s called “Reasonable Cause”.
You can find what “Reasonable Cause” means under the definitions within the Administrative Simplification Regulations.
To be more specific, perhaps someone pretended to be a patient’s family member. The patient authorized the disclosure of their protected health information, or PHI, to that family member. However, the imposter wanted the information for other reasons. Although an unfortunate event, the healthcare worker who disclosed the sensitive information is at fault. Furthermore, they could’ve figured out that the fake family member was a fraudster with probing questions.
So, what is the fine for this kind of HIPAA violation?
If convicted, someone could receive a multitude of punishments, some of which include monetary fines. A judge has discretion when sentencing someone for a tier-one criminal breach. A judge can impose a monetary fine of up to $50,000 and/or an imprisonment sentence of no longer than one year.
Criminal Tier 2: False Pretenses
A tier two criminal HIPAA violation involves false pretenses. To classify as a tier two criminal penalty, someone either lied or deceived to access PHI.
For example, an employee could snoop on the medical records of family members who come for treatment. An employee cannot have access to files unrelated to their patients. What’s more, HIPAA forbids the sharing of PHI. This includes sharing the information with a coworker, a family member, or on social media.
If we were to refer back to the example referenced in the criminal tier 1 section earlier, the fraudster would fall into this category.
Just like tier one, tier two penalties have two components: financial penalties and imprisonment.
Someone who wrongfully disclosed individually identifiable health information can receive a fine of up to $100,000, a sentence of up to 5 years, or both. It’s up to a judge to decide how many years someone goes to jail and the size of the fine.
Criminal Tier 3: Malicious Intent
The wrongful disclosure of individually identifiable health information under false pretenses with the intent to sell, or transfer, is a tier three violation.
A breach committed with the intent to gain commercial advantage, personal gain, or produce malicious damage is also a level three violation.
This is the most severe form of a criminal HIPAA violation.
Malicious intent can constitute a variety of illegal activities involving personally identifiable information. Some people are guilty of stealing social security numbers to steal the identities of patients. Other people sell PHI on the dark web for personal profit. Perhaps someone illegally accessed a celebrity’s medical records as a means to blackmail them.
These severe punishments can include a fine of up to $250,000 and an imprisonment sentence of up to ten years.
Conclusion
By now, you should have a better understanding of determining the fines associated with HIPAA violations.
It’s worth mentioning that most HIPAA violations are unintentional by nature. However, there are criminals in this space that deliberately violate HIPAA’s safeguards, resulting in more severe consequences.
A violation can be as simple as disclosing too much PHI in a conversation, as defined by the Minimum Necessary Standard. And disclosing more than what’s necessary could create a HIPAA violation, resulting in fines outlined in the civil penalty section above.
Many HIPAA violations occur because of employee error and negligence. Some companies simply fail to perform an organization-wide risk assessment and improve their cybersecurity. Most violations involve financial penalties but some in the criminal sector can also deal with imprisonment.