Whether from intentional or accidental breaches, HIPAA violations may result in costly civil and criminal penalties. So, what are the penalties for HIPAA violations, and how can they be avoided?
The Health Insurance Portability and Accountability Act (HIPAA) sets out the rules and regulations surrounding access to and disclosure of protected health information (PHI). All healthcare organizations and their business associates are subject to HIPAA guidelines.
Related: HIPAA compliant email: The definitive guide
A HIPAA violation is when a covered entity does not maintain appropriate safeguards to prevent the intentional or unintentional use or disclosure of PHI. The HIPAA Privacy Rule establishes national standards to protect individuals' PHI. This rule, along with the Security Rule, sets limits and conditions on PHI exposure without patient authorization. HIPAA safeguards patients' PHI physically, administratively, and technically.
Organizations must use layers of cybersecurity measures to maintain compliance and avoid violations. There are numerous ways that organizations could violate HIPAA, including:
Willful neglect is the worst type of violation, but even an accidental HIPAA breach can result in a penalty.
The agency tasked with enforcing HIPAA is the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The OCR's primary responsibilities include investigating complaints, conducting compliance reviews, and enforcing penalties to ensure adherence to HIPAA. The OCR learns about violations from organizations themselves or through complaints. In either circumstance, the agency will investigate to determine the nature of the breach and subsequent actions.
The Enforcement Final Rule (2006) gave OCR the power to issue penalties to non-compliant organizations. If the OCR identifies a violation during an investigation, it can impose a range of consequences, including criminal charges. Such penalties accordingly act as deterrents while holding covered entities accountable.
A corrective action plan (CAP) aims to identify the underlying security issues within an organization that caused a breach in the first place. With this plan, healthcare organizations can adjust their cybersecurity measures to ensure such violations do not happen again. CAPs may cost a healthcare organization money, time, and work.
Depending on the nature of the violation, a CAP may focus on how a healthcare organization:
Related: What is a HIPAA resolution agreement?
In some cases of noncompliance, the OCR may impose significant fines on the violating party. The Omnibus Rule (2013) brought financial penalties in line with the HITECH Act (2009), increasing previous monetary penalties. Along this line, OCR added a fourth tier to its penalty system. Moreover, the new fines not only applied to healthcare providers, health plans, and healthcare clearinghouses. Business associates became liable for violations of HIPAA and could be fined.
OCR bases its fines on the amount of knowledge a healthcare organization had of a violation. The agency adjusts the fines annually for inflation though OCR has yet to release its update for 2023.
Penalty tier |
Level of culpability |
Min. fine per violation |
Max. fine per violation |
Annual penalty cap |
Tier 1 |
Lack of knowledge |
$127 |
$31,987 |
$31,987 |
Tier 2 |
Reasonable cause |
$1,280 |
$63,973 |
$127,974 |
Tier 3 |
Willful neglect |
$12,794 |
$63,973 |
$319,865 |
Tier 4 |
Willful neglect (not corrected within 30 days) |
$63,973 |
$63,973 |
$1,919,173 |
State Attorneys General can add additional fines on top of those given by OCR. These fines range from $100 (per affected resident) to $25,000 per violation (per affected resident).
The Enforcement Final Rule gave OCR the power to bring criminal charges against certain offenders. Such criminal violations are typically knowingly committed. For example, a criminal complaint may be made due to PHI theft for financial gain. Or it may be due to PHI disclosure with intent to cause harm. Or it may be due to failure to implement a CAP within the time allotted.
Penalty tier |
Level of culpability |
Potential jail term |
Tier 1 |
Reasonable cause or no knowledge of the violation |
Up to one year |
Tier 2 |
Obtaining PHI under false pretenses |
Up to five years |
Tier 3 |
Obtaining PHI for personal gain or malicious intent |
Up to 10 years |
In extreme cases, OCR refers violations to the U.S. Department of Justice for prosecution. Criminal violations can also include monetary penalties of up to $250,000.
Over the past few years, we have seen an increase in how HHS and OCR approach and fine HIPAA violations. Particularly when it comes to its Right of Access initiative to give patients more control over accessing their PHI.
Related: How Paubox can help with HIPAA Right of Access
OCR is expected to continue its aggressive approach to PHI access and to enforcing HIPAA in 2023. In fact, the OCR recently created a new Enforcement Division to handle investigations and compliance issues more swiftly. Other changes expected shortly ensure individuals remain protected and in control of their medical records under federal laws. This includes incentives to individuals for reporting HIPAA violations.
Healthcare organizations can avoid penalties by focusing on compliance through up-to-date policies and procedures, employee awareness training, and cybersecurity measures. Avoiding a HIPAA violation means actively and continuously finding the right combination of security features to safeguard patients and ultimately focus on patient care.
A proactive approach reduces the likelihood of OCR enforcement actions, ensuring the protection of patients' PHI. Providers must actively monitor and strategize for blocking and fixing security risks. Having a plan in place can keep a healthcare organization from incurring penalties, whether a breach is intentional or accidental.
Even if compliant, an organization may be audited by the OCR after a breach, which is why documenting compliance is vital. OCR prefers to resolve violations by issuing technical guidance or accepting an organization's plan to prevent future violations.
Generally, the OCR seeks to resolve most violations through voluntary compliance.
Finally, providers must be diligent in understanding all HIPAA provisions. This means utilizing a correct mix of cybersecurity measures and staying on top of changes and amendments.
Healthcare entities must be on the lookout for updates to ensure they always remain compliant. Proactively pursuing HIPAA compliance is far less expensive than spending millions of dollars in fines and CAPs. Or facing time in jail.