HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

What Happens if You Violate HIPAA?

If you work in healthcare you should have a good working knowledge of HIPAA rules, exercise diligence, and ensure that HIPAA Rules are always followed, but what happens if you violate HIPAA? What are the likely repercussions for accidentally or knowingly violating HIPAA Rules?

What happens if you violate HIPAA will depend on the type of violation, its severity, the harm caused to others, and the extent to which you knew that HIPAA Rules were being violated.

Disciplinary Action and Termination

If at the time of the violation you were unaware that you make a mistake, the violation was minor, and no harm has been caused, the violation may be dealt with internally. Verbal or written warnings may be issued and further training on HIPAA compliance would be appropriate.

For more serious violations, especially in cases where HIPAA Rules have been knowingly violated, termination is likely. The violation may be reported to licensing boards who can place restrictions on licenses. Suspension and loss of license is a possibility.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Civil Penalties

The Department of Health and Human Services’ Office for Civil Rights – the main enforcer of HIPAA Rules – can issue civil penalties for HIPAA violations. OCR investigates complaints about potential HIPAA violations and investigates data breaches. When individuals are discovered to have violated HIPAA, civil penalties may be appropriate.

There are four tiers of civil penalties based on the level of knowledge that HIPAA Rules were being violated:

Tier 1 applies to individuals who did not know HIPAA Rules were being violated or by exercising a reasonable level of diligence would not have about a violation of HIPAA. The minimum penalty is $100 per violation up to a maximum of $25,000 for repeat violations.

Tier 2 applies to reasonable cause, which has a minimum fine of $1,000 per violation, up to $100,000 for repeat violations.

Tier 3 apples to violations involving willful neglect of HIPAA Rules when the violation has been corrected within the required time period. The minimum fine is $10,000 per violation up to a maximum of $250,000 for repeat violations.

Tier 4 is reserved for willful neglect of HIPAA Rules with no attempt to correct the violation. The minimum penalty is $50,000 per violation up to a maximum of $1.5 million for repeat violations.

The maximum penalty, regardless of the tier, is $50,000 per violation with a cap of $1.5 million.

Criminal Penalties

The Office for Civil Rights can refer violation cases to the Department of Justice when there have potentially been criminal violations of HIPAA Rules. Criminal penalties for HIPAA violations are rare but are possible when healthcare employees have knowingly violated HIPAA Rules.

The tiers for criminal penalties are:

Tier 1 – Negligence/Reasonable cause – A fine of up to $50,000 and up to one year in prison

Tier 2 – False pretenses – A fine of up to $100,000 and up to 5 years in prison

Tier 3 – Personal gain or malicious intent – A fine up to $250,000 and up to 10 years in prison

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.