HIPAA Enforcement-Breaches, Fines, and Penalties

HIPAA Enforcement-Breaches, Fines, and Penalties


In recent years, violation of HIPAA rules poses a serious financial risk to the covered entity or business associate at fault. The HIPAA Enforcement Rule serves the primary role of outlining the procedure by which noncompliance is determined and the extent of damage caused as a result. It also gives the provisions that guide investigations and the civil money penalties for the violations upon a notice by the HHS. In addition, in a case where the covered entity/business associate challenges the accusation of violation, the Enforcement Rule states the procedure for hearings and appeals for the same.

Enforcement of HIPAA Rules is a responsibility of the Office of Civil Rights under the Department of Human and Health Services. The Privacy Rule was the first to be enforced for most covered entities starting April 14, 2003, and the Security Rule followed suit on July 27, 2009.

The functions the office plays include investigating the complaints filed, conducting compliance assessments, and educating the players on what is required of them. Some of the non-monetary ways in which the OCR resolves issues of noncompliance include requesting voluntary compliance, corrective action, and/or resolution agreement. Failure of these mechanisms leads to financial penalties of up to $50,000 for failing to comply. In the HITECH Act of 2009, the HIPAA Enforcement rule was modified to allow the State Attorneys- General participates in enforcing the rule in their areas of jurisdiction.

What constitutes a breach?

A breach, which is translated as a violation of HIPAA Rules in most cases, is the unauthorized access, use and disclosure of patient health information. It causes significant risk of both financial and reputational cost to the individuals involved and is punishable by law.

In 2014, the Office for Civil Rights received about 20,000 complaints of breach a year. Many breaches can be attributed to the lack of risk assessments by firms and hospitals. This trickles down to lack of business associate agreements between associates and covered entities and obsolete agreements that do not cover some vital requirements. Other administrative letdowns of lacking a proper risk analysis plan are the failure to predict a breach that could otherwise be prevented.

Other cases of breach are linked to the improper disposal of patient health information and are the most costly. Ways in which this occurs include

  • Malware infections
  • PHI exposed by search engines
  • Unencrypted data stored in the cloud
  • Theft of computers, mobile devices, data backups containing PHI
  • Unprotected documents
  • Disclosure by employees

Fines and Penalties

The OCR prefers settling potential violations by non-financial measures as explained earlier. However, when the covered entity ignores the call to compliance and blatantly disregards HIPAA rules, then the only way to go is financial punishment. Severe cases of a breach that cause the disposal of sensitive data for a large number of patients also warrants a fine.

Advocate Health Care had to part with $5.5 million in August 2016 as settlement for potential HIPAA violation. The New York Presbyterian Hospital was also charged $4.8 million after its PHI was made available through search engines. The Cignet Health firm lost a total of $4.3 million when it was confirmed that it denied 41 of its patients their health records, hence violating the HIPAA Privacy Rule.

The Penalty Structure

The OCR sets penalties according to the blameworthiness of the entities. It relies on the knowledge the covered entity had about the violation and what steps it took thereafter. Ignorance is no excuse when it comes to compliance. It is therefore upon the healthcare provider to understand and implement these rules as is expected.

Civil Violations

  • Category 1
    This category covers violations where the covered entity was not aware, would not have avoided the breach, and had taken an amount of care to comply with the HIPAA Rules. The minimum fine in such cases ranges from $100 up to $50,000 per violation.
  • Category 2
    Here the covered entity should have been aware of the violation but could not have prevented/avoided it even with an amount of care. It warrants a minimum fine of $1,000 up to $50,000 per violation.
  • Category 3
    It is categorized as “willful neglect,” but an attempt to correct occurrence of the violation has been made. The minimum fine is $10,00 to $50,000 per violation depending on the damage incurred.
  • Category 4
    It is categorized as “willful neglect” and an attempt to correct occurrence of the violation has not been made. The minimum fine is $50,000 per violation.

Criminal Violation

It has been discovered that the number of employees who positively contribute to unauthorized disclosure of PHI has increased. Sensitive data has a significant value in the black market, and if the company does not control the flow of this information, some individuals can take advantage of their access. These individuals are said to have committed a criminal offense.

The OCR refers criminal violations concerning HIPAA rules to the Department of Justice. As is the case with civil offenses, there are different levels to which criminal offenses are interpreted.

HIPAA criminal penalties are largely categorized into three tiers. Tier 1 refers to a breach where there is evidence of reasonable cause that there was prior knowledge of a violation by the accused. It is punishable by a sentence of one year in jail and a fine of up to $50,000.Tier 2 is for individuals who obtain PHI under false pretense and is punishable by a sentence of up to 5 years jail term or a fine of $100,000. The last tier applies to cases where the accused obtains PHI with malicious intent and/or for personal gain such as selling it on the dark web. It can summon up to 10 years in jail and fines of $250,000.


It is clear that failure to implement HIPAA requirements can result in hefty civil and criminal penalties that are costly to the company’s progress. All healthcare stakeholders must be aware that HIPAA Enforcement is a serious issue in their service provision to the public. Ignorance is no defense - the right thing to do would be to buckle up and play by the book.