What is the Civil Penalty for Knowingly Violating HIPAA?
It is understandable when misunderstandings exist about the civil penalty for knowingly violating HIPAA due to the scope of the Health Insurance Portability and Accountability Act (HIPAA), the frequent references to other statutes, and the subsequent changes to the Administrative Simplification provisions of the Act.
If you search for the term “knowingly” in the text of HIPAA, you will find multiple references relating to defrauding health plans and embezzling money from healthcare benefit programs (i.e. Medicare), but only one relating to the wrongful disclosure of individually identifiable health information – and this section relates to criminal penalties for knowingly violating HIPAA rather than civil penalties.
However, just before this section, the Act gives the Secretary of Health & Human Services (HHS) the authority to impose financial penalties for the failure to comply with the requirements and standards of the Administrative Simplification provisions unless the person liable for the penalty “did not know and by exercising reasonable diligence would not have known” they had violated HIPAA.
This implies that any financial penalty imposed by HHS was in respect of a civil penalty for knowingly violating HIPAA; and, although it was not until 2015 that the first civil penalty for knowingly violating HIPAA was announced, once the first penalty was imposed, subsequent penalties followed quickly. To date HHS has settled more than 100 HIPAA violation cases by imposing HIPAA violation fines.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
A New Penalty Structure Introduced via HITECH
Originally, HHS only had the authority to impose a civil penalty for knowingly violating HIPAA of up to $100 per violation, with an annual maximum penalty per year of $25,000 per violation type. The low penalty cap failed to act as a deterrent against HIPAA violations and a new four-tier penalty structure with increased civil penalties was introduced via the HITECH Act in 2009.
Under the four-tier structure, civil penalties could now be imposed on covered entities who “did not know and by exercising reasonable diligence would not have known” they were violating HIPAA. Further tiers addressed HIPAA violations attributable to “reasonable cause” (where the covered entity should have known that the act or omission was a HIPAA violation) and “willful neglect”.
The “willful neglect” tier is effectively for covered entities imposed with a civil penalty for knowingly violating HIPAA as it covers violations attributable to “intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” The amount of the penalty in this tier is dependent on whether the violation is corrected within thirty days.
Civil money penalties for violating HIPAA 2009
Since the publication of the Final Omnibus Rule in 2013, business associates have also been directly liable for their violations of HIPAA and subject to the same civil penalties as covered entities. It is important for both covered entities and business associates to be aware that HHS can impose a civil penalty for knowingly violating HIPAA even if no breach of unsecured PHI has occurred.
Factors Taken Into Account when Imposing a Civil Penalty for Knowingly Violating HIPAA
Also in the Final Omnibus Rule are the factors HHS should take into account when determining the amount of a civil penalty for violating HIPAA. These are codified under §160.408 of the Administrative Simplification provisions and include:
- The nature and extent of the violation, the number of individuals affected, and the length of time the violation was allowed to continue.
- The nature and extent of the harm resulting from the violation and whether the violation resulted in physical and/or financial harm.
- Whether the violation affected an individual´s ability to obtain health care or caused harm to their reputation (i.e., financial reputation/credit score).
- The prior compliance history of the covered entity or business associate and how they have responded to previous technical assistance provided by HHS.
- The size and financial condition of the covered entity or business associate (as a substantial fine may hinder their ability to continue providing or paying for health care).
These factors – and whether the violation was corrected within 30 days – can either increase or decrease the amount of a civil penalty for knowingly violating HIPAA. Consequently, two covered entities could experience the same non-compliant event, but one might receive a lower civil penalty than the other due to their prior compliance history.
Civil Penalties Increase to Account for Inflation
In 2015, Congress passed the Federal Civil Monetary Penalties Inflation Adjustment Act Improvements Act which required federal agencies such as HHS to increase civil money penalties in line with inflation on an annual basis. Consequently, since the passage of the Act, the civil penalties for violating HIPAA have increased each year. The penalties for 2022 are:
|Penalty Tier||Level of Culpability||Minimum Penalty per Violation||Maximum Penalty per Violation||Annual Penalty Limit|
|Tier 1||Lack of Knowledge||$127||$63,973||$1,919,173|
|Tier 2||Reasonable Cause||$1,280||$63,973||$1,919,173|
|Tier 3||Willful Neglect – Corrected||$12,794||$63,973||$1,919,173|
|Tier 4||Willful Neglect – Not Corrected within 30 days||$63,973||$1,919,173||$1,919,173|
OCR Reinterprets HITECH Act Penalty Increases
While the above table shows the official maximum penalties for HIPAA violations, in 2019, the HHS examined the requirements of the HITECH Act with respect to the recommended financial penalties. After all, why should the maximum penalty for a HIPAA violation be the same in all four penalty tiers? The HHS determined that there had been a misinterpretation of the language of the HITECH Act, and set new maximum penalties for three of the four penalty tiers, only keeping the old maximum amount for the most serious tier 4 violations. OCR has not changed the penalties in the Federal Register at this point in time, as that will be addressed through further rulemaking. OCR instead issued a notice of enforcement discretion on April 26, 2019, in which it said that it will be working with the new penalty structure with a maximum annual limit of $25,000 for tier 1, $100,000 for tier 2, $250,000 for tier 3, and $1.5 million for tier 4. These figures are adjusted for inflation each year, with penalties assessed on or after March 17, 2022, using the structure in the table below. OCR may also address the discrepancy between the maximum penalty per violation and the maximum penalty per year in further rulemaking.
|Annual Penalty Limit||Annual Penalty Limit||Minimum Penalty per Violation||Maximum Penalty per Violation||Annual Penalty Limit|
|Tier 1||Lack of Knowledge||$127||$60,973||$30,487|
|Tier 2||Reasonable Cause||$1,280||$60,973||$121,946|
|Tier 3||Willful Neglect||$12,794||$60,973||$304,865|
|Tier 4||Willful neglect (not corrected within 30 days||$60,973||$1,919,173||$1,919,173|
In 2019, Congress also passed an amendment to the HITECH Act (HR 7898) which gives HHS discretion in imposing civil penalties for violations of HIPAA if the covered entity or business associate has implemented recognized security practices developed under legislation such as the NIST Act or Cybersecurity Act. This “safe harbor” applies to all tiers of HIPAA violation penalties except for the civil penalty for knowingly violating HIPAA not corrected within 30 days.
What is the Civil Penalty for Knowingly Violating HIPAA? FAQs
Why did it take so long for HHS to issue the first civil penalty?
When the Privacy and Security Rules were published, many covered entities had to make significant changes to their operations to comply with the standards and implementation specifications. During this period, HHS pursued a policy of voluntary compliance during which it offered technical assistance for covered entities who were found to have violated HIPAA.
Why have there only been 123 HIPAA violation cases settled by imposing a fine?
Although there have been more than 300,000 complaints to HHS alleging HIPAA violations, HHS still prefers to resolve cases by offering technical assistance or requiring covered entities to follow a corrective action plan. While this means the covered entities do not have to pay money directly to HHS, there are still many indirect costs involved in complying with a corrective action plan.
What are the criminal penalties for knowingly violating HIPAA?
To date, the criminal penalties for knowingly violating HIPAA have been imposed on individuals who have obtained or disclosed PHI without authorization (usually) from their covered entity employer. There are three tiers of criminal penalties for knowingly violating HIPAA depending on the means used to obtain or disclose PHI and the motive for the violation:
- Basic penalty – a fine of not more than $50,000, imprisoned for not more than 1 year, or both.
- False pretenses – if the offense is committed under false pretenses, a fine of not more than $100,000, imprisoned for not more than 5 years, or both.
- Personal gain – if the offense is committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000, imprisoned for not more than 10 years, or both.
Why do some sources show the maximum civil penalty for knowingly violating HIPAA as $1.5 million?
Although HIPAA Rules only change periodically, there is a lot to keep up to date with when publishing information about HIPAA. Consequently, some articles (including several on HIPAAJournal.com) show the maximum civil penalty for knowingly violating HIPAA as $1.5 million until such time as the article is updated to reflect the latest HIPAA update or guidance.
If a business associate is not aware they have to comply with HIPAA, does this absolve them from civil penalties?
Ignorance of HIPAA is no defense against the imposition of a civil penalty or any other type of action by HHS. However, prior to disclosing PHI to a business associate, covered entities are required to conduct due diligence on the business associate to ensure the mechanisms exist for compliance with HIPAA. If a covered entity fails to conduct due diligence prior to disclosing PHI or fails to sign a Business Associate Agreement stating the permissible uses and disclosures of PHI, the covered entity may be jointly liable for any subsequent violation of HIPAA.