Share this article on:
If you work in healthcare you should have a good working knowledge of HIPAA rules, exercise diligence, and ensure that HIPAA Rules are always followed, but what happens if you violate HIPAA? What are the likely repercussions for accidentally or knowingly violating HIPAA Rules?
What happens if you violate HIPAA will depend on the type of violation, its severity, the harm caused to others, and the extent to which you knew that HIPAA Rules were being violated.
Disciplinary Action and Termination
If at the time of the violation you were unaware that you make a mistake, the violation was minor, and no harm has been caused, the violation may be dealt with internally. Verbal or written warnings may be issued and further training on HIPAA compliance would be appropriate.
For more serious violations, especially in cases where HIPAA Rules have been knowingly violated, termination is likely. The violation may be reported to licensing boards who can place restrictions on licenses. Suspension and loss of license is a possibility.
The Department of Health and Human Services’ Office for Civil Rights – the main enforcer of HIPAA Rules – can issue civil penalties for HIPAA violations. OCR investigates complaints about potential HIPAA violations and investigates data breaches. When individuals are discovered to have violated HIPAA, civil penalties may be appropriate.
There are four tiers of civil penalties based on the level of knowledge that HIPAA Rules were being violated:
Tier 1 applies to individuals who did not know HIPAA Rules were being violated or by exercising a reasonable level of diligence would not have about a violation of HIPAA. The minimum penalty is $100 per violation up to a maximum of $25,000 for repeat violations.
Tier 2 applies to reasonable cause, which has a minimum fine of $1,000 per violation, up to $100,000 for repeat violations.
Tier 3 apples to violations involving willful neglect of HIPAA Rules when the violation has been corrected within the required time period. The minimum fine is $10,000 per violation up to a maximum of $250,000 for repeat violations.
Tier 4 is reserved for willful neglect of HIPAA Rules with no attempt to correct the violation. The minimum penalty is $50,000 per violation up to a maximum of $1.5 million for repeat violations.
The maximum penalty, regardless of the tier, is $50,000 per violation with a cap of $1.5 million.
The Office for Civil Rights can refer violation cases to the Department of Justice when there have potentially been criminal violations of HIPAA Rules. Criminal penalties for HIPAA violations are rare but are possible when healthcare employees have knowingly violated HIPAA Rules.
The tiers for criminal penalties are:
Tier 1 – Negligence/Reasonable cause – A fine of up to $50,000 and up to one year in prison
Tier 2 – False pretenses – A fine of up to $100,000 and up to 5 years in prison
Tier 3 – Personal gain or malicious intent – A fine up to $250,000 and up to 10 years in prison