The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect workers and their families by limiting new employers from excluding coverage for preexisting conditions, banning discrimination against employees and their dependent family members based on any preexisting conditions, and providing new rights to individuals who lose their coverage to enroll in a group health plan.

HIPAA also protects patients’ paper and electronically stored medical information through the Privacy Rule and the Security Rule, which were implemented by the U.S. Department of Health and Human Services (HHS).

HIPAA Violation Enforcement

The HHS, Office for Civil Rights (OCR) is the HIPAA enforcement agency that investigates any complaints filed regarding HIPAA violations. If the OCR finds that a HIPAA violation has taken place, the OCR will determine the amount of each penalty based on the American Recovery and Reinvestment Act of 2009.

Types of HIPAA Violation Fines

The amount of each civil penalty depends on the extent of harm that results from the violation. It also may depend upon whether the violation unknowingly or willfully occurred and if the violation was corrected in a timely manner. To avoid any type of civil penalty, a violation that is not willfully negligent should be corrected within 30 days of notice from the OCR. Here are some more examples of different fines:

  • First time violation, unknowingly committed. This type of fine could be anywhere from $100 to $50,000.

  • Violation caused by willful negligence but corrected within 30 days. This type of fine could start at $10,000 and reach a maximum of $50,000.

  • Violation caused by willful negligence and never corrected. This type of fine is the most costly and starts at $50,000.

Can There Be Any Criminal Violations?

It is important to note that a Privacy Rule violation can cause serious criminal consequences for a covered entity. The Privacy Rule protects patient health information from disclosure and if someone deliberately discloses such information, it may lead to prosecution by the Department of Justice. The fine is $50,000 and up to one year in jail.

More importantly, if such private information is transferred or sold, imprisonment for up to 10 years and fines as high as $250,000 are not unlikely.

In order to avoid such high financial and personal penalties, HIPAA compliance is crucial. Healthcare professionals, insurance adjusters, and other covered entities should try to do whatever they can to prevent falling out of compliance.