- HIPAA Credentials
- How to Select HIPAA Training Company, Course and Certification
- Certified HIPAA Privacy Security Expert (CHPSE)
- Certified HIPAA Security Expert (CHSE)
- Certified HIPAA Privacy Expert (CHPE)
- HIPAA Overview Training – CHPA
- Maintain HIPAA Credential
- How to Select HIPAA Credential
- Benefits of HIPAA Logos
- HIPAA Certifications FAQ
- HIPAA Training
- Other Courses
- HCISPP Certification Training Course: Online, Classroom and Onsite
- Certified CyberSecurity Awareness Professional Certification Training
- Bloodborne Pathogens Training
- Texas House Bill 300 (HB 300) Training
- Continuing Education Courses for HIPAA Certification
- Data Protection Training
- Globally Harmonized System Course
- Medical Fraud, Waste and Abuse Training Course for Medicare/Medicaid
- Sexual Harassment Prevention Course for Employees Online and Instructor-Led
- HIPAA Compliance Tool
- HIPAA Compliance ToolKit
- HIPAA Security Policies Procedure Templates: Overview
- HIPAA Privacy Policy Templates
- HIPAA Security Contingency Plan/Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) Templates Suite
- HIPAA Security Risk Analysis templates
- Small Business Disaster Recovery Plan and Business Continuity Template Suite
- HIPAA Compliance FAQ
- Become a Reseller
- Other HIPAA Templates
- Hospital Disaster Recovery and Business Continuity Plan for JCAHO & HIPAA
- Enterprise Contingency Plan Template Suite
- Enterprise Contingency Plan Template Suite for Business Impact Analysis, Disaster Recovery, Risk Assessment, Business Continuity Templates
- Pandemic Disaster Plan Template Suite
- HIPAA Disaster Recovery Plan and Business Continuity Plan for Health Plan
- Business Associates Disaster Recovery and Business Continuity Plan
- Compliance Packages
- Compliance Solutions
- HIPAA Compliance ToolKit
- Contact Us
HIPAA Violations: HIPAA Fines and HIPAA Penalties for Non-Compliance
A covered entity can be fined for HIPAA violations by HIPAA enforcement agencies. HIPAA penalties can be Civil and Criminal.
HIPAA sets severe penalties for non-compliance. The penalties may be:
- Civil
- Criminal
- Financial
- Imprisonment
Under “General Penalty for Failure to Comply with Requirements and Standards” of Public Law 104-191, the Health Insurance Portability and Accountability Act of 1996, Section 1176 says that the Secretary can impose fines for non-compliance as high as $100 per offense, with a maximum of $25,000 per year on any person who violates a provision of this part.
Under “Wrongful Disclosure of Individually Identifiable Health Information,” Section 1177 states that a person who knowingly:
- uses or causes to be used a unique health identifier;
- obtains individually identifiable health information relating to an individual; or
- discloses individually identifiable health information to another person,
- shall be fined not more than $50,000, imprisoned not more than 1 year, or both:
- if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
- if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
HIPAA Complains and HIPAA Enforcement Agencies
|
PART OF ADMINISTRATIVE SIMPLIFICATION |
RESPONSIBLE FOR HIPAA ENFORCEMENT |
|
Privacy |
HHS Office for Civil Rights (OCR) |
|
Transactions and Code Sets |
Centers for Medicare & Medicaid Services (CMS) |
|
Security |
Centers for Medicare & Medicaid Services (CMS) |
|
Identifiers |
Centers for Medicare & Medicaid Services (CMS) |
HIPAA Penalties
Civil*
|
Monetary Tiers
|
Prison Time
|
Offenses
|
|
Tier A. $100 to $25,000 |
NA
|
Single violation of a provision
provided the person did not know, and by exercising reasonable diligence would not have known, the person violated HIPAA privacy and security provisions (“reasonable person” concept) |
|
Tier B $1000 to $50,000 |
NA
|
Single violation of a provision
due to reasonable cause but not willful neglect. |
|
Tier C $10,000 to |
NA
|
Single violation of a provision
due to willful neglect and timely corrected. |
|
Tier D $50,000 |
NA
|
If the violation is not
corrected timely, penalty for each violation is $50,000. |
Criminal (maximum penalties)
|
Monetary Tiers
|
Prison Time
|
Offenses
|
|
Up to |
Up to one
year |
Wrongful disclosure of individually
identify able health information. |
|
Up to |
Up to five
years |
Wrongful disclosure of individually
identify able health information committed under false pretenses. |
|
Up to |
Up to ten
years |
Wrongful disclosure of individually
identify able health information committed under false pretenses with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm. |
|
New |
Release of PHI without
authorization Willful Neglect (effective 2/17/12) |
Enforcement by State Attorneys General
It is very important to remember that, at the discretion of the Office of Civil Rights, any of the civil penalties in Tiers A-D may be increased to $50,000 per violation and up to $1,500,000 per calendar year for the same type of violation. With the inclusion of HITECH and Omnibus, all civil tiers are capped at $1,500,000 each.
If DHHS has not already begun to take action, the attorney general may bring a civil action on behalf of such residents in a federal district court:
- To enjoin the defendant from further violations; and
- To obtain damages equal to $100 for each violation, not to exceed $25,000 for all violations of an identical requirement during a calendar year.
The court may also award the state attorneys general fees and costs.