Share this article on:
HIPAA requires covered entities to provide training to staff to ensure HIPAA Rules and regulations are understood. During HIPAA training, healthcare employees should be aware of the possible penalties for HIPAA violations, but what are those penalties and what happens if you break HIPAA Rules?
What Happens if You Break HIPAA Rules?
If you break HIPAA Rules there are four potential outcomes:
- The violation could be dealt with internally by an employer
- You could be terminated
- You could face sanctions from professional boards
- You could face criminal charges which include fines and imprisonment
What happens if you break HIPAA Rules will depend on the severity of the violation. The actions of employers, professional boards, federal regulators, and the Department of Justice will depend on several factors:
- The nature of the violation
- Whether there was knowledge that HIPAA Rules were being violated, or by exercising due diligence, it should have been clear that HIPAA Rules were being violated
- Whether action was taken to correct the violation
- Whether there was malicious intent or HIPAA Rules were violated for personal gain
- The harm caused by the violation(s)
- The number of people impacted by the violation
- Whether there was a violation of the criminal provision of HIPAA
Civil Penalties for HIPAA Violations
Civil penalties for HIPAA violations start at $100 per violation by any individual who violates HIPAA Rules. The fine can rise to $25,000 if there have been multiple violations of the same type. These penalties are applied when the individual was aware that HIPAA Rules were being violated or should have been aware had due diligence been exercised. If there was no willful neglect of HIPAA Rules and the violation was corrected within 30 days from when the employee knew that HIPAA Rules had been violated, civil penalties will not apply.
Criminal Penalties for HIPAA Violations
The criminal penalties for HIPAA violations can be severe. The minimum fine for willful violations of HIPAA Rules is $50,000. The maximum criminal penalty for a HIPAA violation by an individual is $250,000. Restitution may also need to be paid to the victims. In addition to the financial penalty, a jail term is likely for a criminal violation of HIPAA Rules.
As with the penalties for HIPAA violations for HIPAA covered entities and business associates, there are penalty tiers.
Criminal violations that occur as a result of negligence can result in a prison term of up to 1 year. Obtaining protected health information under false pretenses carries a maximum prison term of 5 years. Knowingly violating HIPAA Rules with malicious intent or for personal gain can result in a prison term of up to 10 years in jail. There is also a mandatory two-year jail term for aggravated identity theft.