HIPAA Penalties and Enforcement
Understanding HIPAA penalties and enforcement helps organizations appreciate the importance of compliance and the real consequences of violations. This guide explains the enforcement framework, penalty tiers, and what happens when violations occur.
For technology companies operating as business associates, knowing the enforcement landscape helps justify compliance investments and understand your exposure.
Key Takeaways
| Aspect | Details |
|---|---|
| Enforcement agency | HHS Office for Civil Rights (OCR) |
| Penalty range | $100 to $1.9 million+ per violation |
| Criminal penalties | Up to $250,000 and 10 years imprisonment |
| State enforcement | State AGs can also enforce |
| Business associates | Directly liable since 2013 |
Quick Answer: HIPAA violations can result in civil penalties ranging from $100 to over $1.9 million per violation category per year, plus potential criminal penalties. The HHS Office for Civil Rights enforces HIPAA and has increasingly targeted business associates. Most enforcement results from breach reports and complaints.
HIPAA Enforcement Framework
Who Enforces HIPAA?
HHS Office for Civil Rights (OCR)
- Primary enforcement agency for Privacy and Security Rules
- Investigates complaints and breach reports
- Conducts compliance reviews
- Issues guidance and rules
Department of Justice (DOJ)
- Handles criminal HIPAA violations
- Prosecutes willful violations
- Works with HHS on referrals
State Attorneys General
- Can bring civil actions under HIPAA
- May pursue state privacy law violations
- Increasingly active in health data enforcement
What Triggers Enforcement?
| Trigger | Description |
|---|---|
| Breach reports | Breaches affecting 500+ individuals trigger investigation |
| Complaints | Individuals can file complaints with OCR |
| Compliance reviews | OCR conducts proactive audits |
| Referrals | Other agencies refer potential violations |
| Media reports | High-profile incidents may prompt investigation |
Civil Penalty Tiers
HIPAA establishes four tiers of civil penalties based on the level of culpability:
Tier 1: Did Not Know
Penalty: $100 - $50,000 per violation
The covered entity or business associate did not know and, by exercising reasonable diligence, would not have known of the violation.
Example: A vendor's security flaw allowed unauthorized access, and you had no reasonable way to detect it.
Tier 2: Reasonable Cause
Penalty: $1,000 - $50,000 per violation
The violation was due to reasonable cause and not willful neglect.
Example: A misconfiguration occurred despite having policies and training, but it wasn't caught due to oversight.
Tier 3: Willful Neglect - Corrected
Penalty: $10,000 - $50,000 per violation
The violation was due to willful neglect but was corrected within 30 days of discovery.
Example: You knew you needed encryption but hadn't implemented it. After a breach, you implemented it within 30 days.
Tier 4: Willful Neglect - Not Corrected
Penalty: $50,000+ per violation
The violation was due to willful neglect and was not corrected within 30 days.
Example: You knew about a security gap, were told to fix it, and didn't. A breach occurred and you still didn't fix it.
Annual Caps
| Tier | Per Violation | Annual Cap |
|---|---|---|
| Tier 1 | $100 - $50,000 | $25,000 |
| Tier 2 | $1,000 - $50,000 | $100,000 |
| Tier 3 | $10,000 - $50,000 | $250,000 |
| Tier 4 | $50,000+ | $1,500,000+ |
Note: These caps apply per violation category per year. Multiple violations across categories can exceed these amounts significantly.
Recent Penalty Adjustments
HHS adjusts penalty amounts for inflation. As of 2024:
- Maximum penalty per violation: ~$68,928
- Annual cap for Tier 4: ~$2,067,813
Check current HHS guidance for exact figures.
Criminal Penalties
Criminal penalties apply when HIPAA violations are committed knowingly:
| Offense | Fine | Imprisonment |
|---|---|---|
| Knowingly obtaining or disclosing PHI | Up to $50,000 | Up to 1 year |
| Offenses under false pretenses | Up to $100,000 | Up to 5 years |
| Offenses with intent to sell or cause harm | Up to $250,000 | Up to 10 years |
Criminal penalties typically target individuals, not organizations. They're reserved for intentional violations involving theft, fraud, or malicious disclosure.
Business Associate Liability
Direct Enforcement
Since the 2013 HIPAA Omnibus Rule, business associates are directly liable for:
- Security Rule violations
- Certain Privacy Rule violations
- Breach Notification Rule violations
This means: OCR can investigate and penalize business associates directly, not just through the covered entity.
Business Associate Enforcement Actions
OCR has increasingly targeted business associates. Notable cases include:
| Year | Entity Type | Violation | Penalty |
|---|---|---|---|
| 2020 | IT Services | Security failures, breach | $2.3 million |
| 2019 | EHR Vendor | Access controls, encryption | $850,000 |
| 2019 | Software Company | Lack of BAA, security | $500,000 |
| 2018 | Medical Records | Improper disposal | $100,000 |
What Investigators Look For
When OCR investigates a business associate, they examine:
- Risk assessment: Was one conducted? Was it adequate?
- Policies and procedures: Do they exist? Are they followed?
- Technical safeguards: Encryption, access controls, audit logs
- Training: Were workforce members trained?
- BAAs: Are agreements in place with subcontractors?
- Incident response: How was the incident handled?
- Corrective action: What steps were taken after discovery?
Factors Affecting Penalty Amounts
OCR considers multiple factors when determining penalties:
Aggravating Factors (Higher Penalties)
- Prior HIPAA violations
- Financial benefit from violation
- Harm to individuals
- Number of individuals affected
- Length of time violation persisted
- Lack of good faith effort to comply
- Obstruction of investigation
- Willful neglect
Mitigating Factors (Lower Penalties)
- No prior violations
- Cooperative investigation behavior
- Quick corrective action
- Good faith compliance efforts
- Strong compliance program pre-violation
- Voluntary disclosure
- Small organization with limited resources
The Enforcement Process
Step 1: Trigger
Enforcement begins with:
- Breach report (required for 500+ individuals)
- Complaint from individual or entity
- Compliance review selection
- Referral from another agency
Step 2: Investigation
OCR requests:
- Written response to allegations
- Policies and procedures
- Technical documentation
- Training records
- Breach investigation documentation
- Corrective actions taken
Step 3: Findings
OCR determines:
- Whether violation occurred
- Which rules were violated
- Level of culpability
- Extent of harm
Step 4: Resolution
Resolution options:
Technical assistance: For minor issues, guidance on correcting problems.
Resolution agreement: Agreement to take corrective actions, possibly with monitoring.
Civil money penalty: Formal penalty issued after hearing opportunity.
Step 5: Corrective Action
Most enforcement results in corrective action plans requiring:
- Policy and procedure updates
- Training
- Technical remediation
- Monitoring period (1-3 years)
- Regular reporting to OCR
Notable Enforcement Cases
Large Health System - $4.75 Million (2024)
Violation: Multiple Security Rule failures
Details: Risk analysis failures, lack of encryption, insufficient access controls
Lesson: Comprehensive risk assessment and ongoing compliance required
Business Associate - $2.3 Million (2020)
Violation: Security failures leading to breach
Details: BA suffered breach affecting 6+ million individuals; inadequate security measures
Lesson: Business associates face direct enforcement for security failures
Small Provider - $100,000 (2019)
Violation: Failure to provide patient access
Details: Repeated failures to provide records to patient despite requests
Lesson: Patient rights violations enforced regardless of organization size
Software Vendor - $500,000 (2019)
Violation: Operating without BAA, security failures
Details: Software vendor handling PHI without signed BAAs, inadequate security
Lesson: BAAs are mandatory; vendors cannot operate without them
State Enforcement
State Attorney General Authority
State AGs can bring civil actions for HIPAA violations affecting state residents:
- May seek injunctive relief
- May seek damages on behalf of residents
- Penalties up to $25,000 per violation category per year
State Privacy Laws
Many states have additional health privacy laws:
- California (CCPA/CPRA health data provisions)
- New York (SHIELD Act)
- Texas (HB 300)
- Others with breach notification requirements
State penalties can stack with federal HIPAA penalties.
Reducing Enforcement Risk
Proactive Compliance
Risk assessment: Conduct thorough, documented risk assessments regularly.
Policies and procedures: Develop, implement, and follow comprehensive policies.
Training: Train all workforce members and document completion.
Technical safeguards: Implement encryption, access controls, audit logs.
Vendor management: Ensure BAAs with all vendors, assess their security.
Incident Response
Quick detection: Monitor for and quickly detect security incidents.
Thorough investigation: Conduct complete breach assessment.
Timely notification: Meet notification deadlines.
Corrective action: Fix issues promptly and document actions.
Cooperation: Cooperate fully with any OCR investigation.
Documentation
Maintain records: Keep documentation for 6+ years.
Demonstrate compliance: Be able to show evidence of compliance efforts.
Track decisions: Document risk acceptance and security decisions.
What to Do If Investigated
Immediate Steps
- Designate point of contact: Single person to coordinate response
- Engage legal counsel: HIPAA-experienced attorney
- Preserve evidence: Do not alter or destroy relevant records
- Assess scope: Understand what's being investigated
During Investigation
- Respond timely: Meet all OCR deadlines
- Be thorough: Provide complete, accurate information
- Be cooperative: Don't obstruct or be evasive
- Document everything: Keep records of all communications
Negotiation
- Understand options: Resolution agreement vs. hearing
- Propose corrective actions: Show willingness to improve
- Negotiate reasonably: Work toward acceptable resolution
- Implement promptly: Execute agreed corrective actions
Insurance Considerations
Cyber Insurance
Most cyber insurance policies cover:
- Breach response costs
- Notification expenses
- Credit monitoring
- Legal fees
- Some regulatory fines (check policy carefully)
Important: Some policies exclude regulatory fines or have sublimits. Review coverage carefully.
Directors and Officers (D&O)
May cover:
- Defense costs for executives
- Personal liability for officers
- Some regulatory proceedings
How Bastion Helps
Bastion helps technology companies minimize enforcement risk:
- Risk assessment: Conduct thorough assessments to identify and address gaps
- Compliance program: Build comprehensive compliance programs
- Breach response: Incident response planning and support
- Investigation support: Guidance if enforcement action occurs
- Ongoing compliance: Maintain compliance to reduce violation risk
Ready to strengthen your HIPAA compliance? Talk to our team
Sources
- HHS Enforcement - Official enforcement information
- OCR Enforcement Highlights - Enforcement statistics and highlights
- Resolution Agreements - Public resolution agreements
- Penalty Amounts - Current penalty schedules