<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Search
Close icon
Search bar icon

HIPAA Violation Penalties and Fines by Tiers (Civil & Criminal)

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

Summary: Health Insurance Portability and Accountability Act (HIPAA) regulations are extensive and complex. But non-compliance can cost organizations big—with some HIPAA violation fines adding up to millions of dollars. This article breaks down the different HIPAA penalties—including civil and criminal penalties—and the maximum penalties for HIPAA violations. Find out who is liable under HIPAA, what the most common HIPAA violations are, and how to ensure compliance and prevent HIPAA violations in your own organization.  

What Are the Penalties for HIPAA Violations? 

HIPAA violation fines and penalties result from failing to comply with HIPAA rules. They can result in civil and criminal penalties, depending on the type and severity of the violation. Fines for HIPAA violations range between minimum and maximum amounts and have a calendar-year cap of $2,067,813 for multiple violations of an identical HIPAA provision.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces HIPAA through regular audits and investigations after a complaint or breach. Since the Enforcement Final Rule of 2006, OCR can issue financial penalties and make corrective action plans and resolution agreements to ensure the covered entity achieves HIPAA compliance. The state attorneys general can also issue HIPAA violation fines and penalties. 

OCR typically prefers to resolve violations through non-punitive measures, such as voluntary compliance and corrective action plans. However, when HIPAA violation fines are necessary, OCR follows a tiered penalty structure to assess the severity of the violation and issue a proportional penalty.

Who is liable?

Any person or entity that handles protected health information (PHI) must comply with HIPAA rules, including:

  • Health plans
  • Health care clearinghouses
  • Health care providers 
  • Medicare prescription drug card sponsors
  • Business associates (individuals or entities that handle PHI)   

HIPAA violations by the numbers

Take a look at the following numbers related to HIPAA violations as reported by the HHS

  • OCR has received over 358,975 HIPAA complaints and has initiated over 1,188 compliance reviews since the Privacy Rule was implemented in April 2003.

  • Of the over 30,839 cases OCR has resolved, OCR required changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA-covered entities and their business associates.
     
  • As of April 2022, OCR settled or imposed a civil money penalty in 145 cases, totaling $142,663,772.00.

  • 63,096 cases did not require investigation because OCR intervened early and provided technical assistance to HIPAA-covered entities to achieve compliance.

  • 246,929 complaints did not present an eligible case for enforcement.

  • In 15,211 cases, OCR investigations found no violation had occurred.

HIPAA Violation Penalty Tiers  

So what are the consequences of violating HIPAA? They depend on the type and severity of the violation. The two types of violations are civil and criminal. Each category has graded tiers to determine penalties for HIPAA violations. 

Civil penalties

OCR assesses a case and the covered entity’s liability based on four tiers of increasing culpability. Each tier has minimum and maximum penalty amounts and an annual cap on penalties for multiple violations of the same provision. The following list of HIPAA fines is based on the most recent numbers released in January 2024 and is adjusted for inflation.

Tier 1: Lack of knowledge

The covered entity or business associate was unaware of and, through due diligence, could not have known the HIPAA rule was violated. 

  • Minimum penalty (per violation): $137
  • Maximum penalty (per violation): $68,928
  • Calendar-year cap: $2,067,813

Tier 2: Reasonable cause and not willful neglect

The covered entity knew or should have known through due diligence that its action (or omission) violated HIPAA, but the violation was not caused by willful neglect. 

  • Minimum penalty (per violation): $1,379
  • Maximum penalty (per violation): $68,928
  • Calendar-year cap: $2,067,813

Tier 3: Willful neglect, corrected within 30 days

The violation was caused by willful neglect, but the covered entity took corrective action within 30 days. 

  • Minimum penalty (per violation): $13,785
  • Maximum penalty (per violation): $68,928
  • Calendar-year cap: $2,067,813

Tier 4: Willful neglect, not corrected within 30 days

The violation of HIPAA rules constituted willful neglect, and the entity made no attempt to correct the violation within 30 days.

  • Minimum penalty (per violation): $68,928
  • Maximum penalty (per violation): $2,067,813
  • Calendar-year cap: $2,067,813

Criminal penalties

Employers usually receive civil penalties for violations committed by their employees who work in health care. But not always. If healthcare professionals knowingly misuse or unlawfully obtain PHI, they are held criminally liable. 

The Department of Justice (DOJ), not the OCR, handles criminal penalties for HIPAA violations. Criminal penalties can range from fines to jail time depending on severity. A judge determines the penalties based on three categories of criminal violations. 

Tier 1: Wrongful disclosure of PHI

This tier is the lowest-level violation. It covers cases of reasonable cause, in which the individual should have known better, and lack of knowledge, where the individual didn’t know they violated a rule. The DOJ doesn’t acknowledge ignorance of HIPAA regulations as an excuse for violating HIPAA rules because all covered entities are responsible for compliance.

Maximum penalty: Up to $50,000, up to one year in prison, or both.

Tier 2: Wrongful disclosure of PHI under false pretenses

This tier includes obtaining PHI under false pretenses or disclosing it without permission. For example, a hospital employee cannot access the records of patients who aren’t under their care.

Maximum penalty: Up to $100,000, up to five years of prison time, or both.

Tier 3: Wrongful disclosure of PHI under false pretenses with malicious intent

The most severe violation is when the individual who commits the crime wrongfully obtains PHI with the intent to sell, transfer, or use the data for personal gain, commercial advantage, or malicious harm. 

Maximum penalty: Up to $250,000, ten years of prison time, or both. 

Most Common HIPAA Violations

Financial penalties most commonly result from the following HIPAA violations:

  • Failure to perform an organization-wide risk analysis 
  • Failure to enter into a HIPAA-compliant business associate agreement 
  • Wrongful disclosures of PHI 
  • Delayed breach notifications 
  • Failure to safeguard PHI

HIPAA compliance is based mostly on properly securing private data, especially with cyber attacks at an all-time high. Health care organizations, in particular, have massive amounts of data, making them a target for many bad actors. While a breach can reveal HIPAA violations, it’s not considered a violation on its own. 

As a goal, compliance reduces the risk of a breach to acceptable levels through due diligence. OCR assesses the nature of a breach and investigates possible weaknesses from noncompliance. 

Learn more about the most common HIPAA violations.

Types of HIPAA Violations 

HIPAA violations come in an array of types. Let’s take a look at a few of the main ones. 

Intentional versus accidental

Not all violations are intentional. Even otherwise-compliant organizations make mistakes, such as accidentally disclosing PHI to the wrong person or persons. In this case, the person or persons who discover the violation must report it to the organization’s privacy officer. The privacy officer then evaluates the situation to determine the scope of the breach and critical actions to reduce risk and prevent future harm. 

Depending on the nature of the violation, the organization might be required to report it to OCR. Failure to report a violation can result in penalties. 

When assessing the violation, OCR determines the severity based on the tier system. The civil penalty for unknowingly violating HIPAA falls under Tier 1. But accidental disclosures can fall under other tiers depending on the situation. 

Accidental violations include:

  • A health care employee accidentally viewing the records of a patient. For example, they intended to pull the file for another patient and opened the wrong record. 
  • An employee sends a fax or email containing PHI to the wrong recipient. 
  • A staff member discusses treatment plans with a patient in a waiting room or in front of other people without the patient’s permission.
  • Computer monitors are angled so that unauthorized individuals might see PHI. 

Knowledge of HIPAA guidelines

Some violations occur with knowledge of breaking HIPAA guidelines. These violations range in severity, depending on the intent of the individual or entity. Common examples of this type of violation include:

  • Gossiping about a patient’s PHI outside the organization or with unauthorized individuals.
  • Accessing a patient’s records without permission, such as looking up a family member’s records. 
  • Accessing PHI with intent to sell it for profit or personal gain.

A recent case that was resolved in 2021 involved Jennifer Lynne Bacor, a patient care technician at a Cedar Rapids hospital. She used her login credentials to access her ex-boyfriend’s PHI multiple times—even though he wasn’t one of her patients—after he was treated at the hospital on various occasions. Upon accessing his information, Bacor took a picture of a medical photograph that she then shared with a third party. The third party shared the photo with the ex-boyfriend and others in a Facebook message along with “taunting language and emojis.” 

Bacor was sentenced to five years of probation and fined $1,000 as punishment for violating HIPAA and “weaponizing” her boyfriend’s private medical information. Bacor was also restricted from any employment that would grant her access to private medical information of others during her probationary period. 

Criminal HIPAA violations

Violating HIPAA can result in criminal penalties, depending on the severity and intent of the breach. Criminal violations typically involve accessing patient records for personal gain or commercial advantage or sharing PHI with intent to do harm. For example, they might involve taking social security numbers and birth dates to commit identity fraud. Criminal penalties are less common than civil monetary damages for HIPAA violations. 

For example, in 2019, the DOJ charged a former patient coordinator, Linda Sue Kalina, with wrongfully disclosing the health information of another individual. During her employment, Kalina improperly accessed 111 patient records. She “unlawfully disclosed personal gynecological health information related to two such patients, with intent to cause those individuals embarrassment and mental distress.” Kalina was sentenced to one year of imprisonment, followed by three years of supervised release. 

Theft of patient information

Lost or stolen patient information can occur when an employee accesses and steals the PHI on file or when records are left unsecured. For example, a medical professional might leave an unencrypted thumb drive loaded with patient information at a coffee shop where it’s stolen by a third party. Another example is if a medical office is burglarized.

Theft can also occur through a cybersecurity breach due to access failures like compromised credentials or poor security infrastructure. In 2023, 725 breaches were reported to HHS, affecting 133 million patients. The four largest breaches were against a major healthcare facilities operator, a medical transcription company, and two dental organizations. 

Wrongful disclosures

Wrongful disclosures cover civil and criminal liabilities based on severity. HIPAA violation penalties for employees that wrongfully disclose PHI can include HIPAA fines up to $250,000 and 10 years in prison for criminal violations. However, wrongful disclosure can be as simple as neglecting to get a patient’s signature on a HIPAA release form before releasing the information to a third party.

HIPAA Settlements  

The OCR and HHS may settle cases with covered entities and business associates through resolution agreements. These agreements can include a HIPAA violation lawsuit payout and obligations to perform corrective actions and submit reports to HHS—typically for three years. 

For example, in one recent case, the Children’s Hospital & Medical Center (CHMC) agreed to take corrective actions and pay $80,000 to settle a potential violation of the HIPAA right of access standard. If HHS can’t reach a satisfactory resolution agreement with the covered entity, it can impose civil monetary penalties for noncompliance. 

How to Avoid HIPAA Violations 

Covered entities and business associates that have access to PHI must implement and adhere to the technical, physical, and administrative safeguards outlined in HIPAA. They must also comply with the HIPAA Privacy Rule and HIPAA Security Rule to protect the integrity of PHI.

The HIPAA Privacy Rule addresses the use and disclosure of PHI and establishes safeguards to protect it. It also gives patients the right to access their medical records and obtain copies on request in a reasonable timeframe. The HIPAA Security Rule specifically addresses the use and protection of PHI that was created, received, maintained, or transmitted electronically. 

To comply with the HIPAA Security Rule, the CDC requires all covered entities to:

  • Ensure the confidentiality, integrity, and availability of all electronic PHI (ePHI).
  • Detect and safeguard against anticipated threats to the security of the information.
  • Protect against anticipated impermissible uses or disclosures.
  • Certify compliance by their workforce.

Of course, these requirements are easier said than done. While external cyber attacks continue to increase—with healthcare organizations as a top target—covered entities must manage risks both inside and outside their organizations. In fact, 66% of incidents involved insiders rather than external threats. 

For example, a HIPAA violation where someone’s PHI is disclosed is often the result of human error rather than malicious intent. These compliance errors are most commonly the result of:

  • Misdelivery
  • Improper disposal
  • Data loss     

Besides human error, be on the lookout for the following common violations:  

  • Lack of encryption
  • Data breaches caused by a security hack or phishing attack
  • Unauthorized access
  • Improper disposal of records
  • Loss or theft of devices

To prevent violations—and HIPAA violation consequences—secure PHI at every level by applying the following best practices.  

1. Review current data security practices

To achieve compliance, understand your security landscape. Review current security practices and systems to identify vulnerabilities and gaps in compliance. Formally conduct any required audits and assessments and review and document the results. This review sets the foundation for a systematic compliance plan.  

2. Conduct routine monitoring of record access

As part of ongoing compliance practices, conduct routine monitoring of all recorded access involving PHI. Regular monitoring helps detect any errors or violations early so you can mitigate the impact and correct the incident. 

3. Implement access control

For ePHI, access control is essential to securing data across your organization’s network. For this level of control, assign unique logins for each user and establish procedures to govern the release or disclosure of ePHI in case of emergency. Also, as part of any access control program, implement system-wide audit controls and activity logs to record access and attempted access. After accessing the data, log how the data is used. 

4. Enable full disk encryption

Encrypting files is essential to achieving HIPAA compliance and protecting private records. Enable full disk encryption (FDE) as an effective, low-cost method of securing sensitive data. FDE encrypts data on a device, protecting the information even if the device is lost or stolen. For end-to-end protection, take time to review your organization-wide encryption policy.

5. Train employees on HIPAA standards and best practices

To reduce human-error violations and prevent negligent practices, train all employees on HIPAA standards and policies. Conduct training annually for all employees and during onboarding for all new employees.

Training helps employees who handle PHI to recognize and avoid malware and cyber attacks, such as phishing. It also helps ensure proper handling of digital and physical records, such as disposal procedures. 

How StrongDM Helps You Avoid Penalties for HIPAA Violations  

The consequences of violating HIPAA can be costly. To protect your organization and data, start with comprehensive access management from StrongDM. 

This access platform gives your organization the ability to: 

  • Centrally manage authentication.
  • Implement least-privilege access based on roles. 
  • Connect users to the resources they need from anywhere.
  • Capture and record all queries and commands in every session across your entire stack.

Managing permissions across an organization can be time-consuming and error-prone. But StrongDM takes the guesswork out of access management. It automates least-privilege access to the systems your users need so only authorized users handle PHI. 

Plus, StrongDM centralizes all log collections—including query logs, web logs, and activity logs—in one place. This single location enables faster audit response times and comprehensive monitoring, so you always know when and how PHI is accessed and used.

See how StrongDM’s infrastructure access platform can help you avoid HIPAA violations by signing up for our 14-day free trial.


About the Author

, Technical Evangelist, has had a long 30+ year career in systems engineering and architecture, but has spent the last 13+ years working on the Cloud, and specifically, Cloud Security. He's currently the Technical Evangelist at StrongDM, taking the message of Zero Trust Privileged Access Management (PAM) to the world. As a practitioner, he architected and created cloud automation, DevOps, and security and compliance solutions at Netflix and Adobe. He worked closely with customers at Evident.io, where he was telling the world about how cloud security should be done at conferences, meetups and customer sessions. Before coming to StrongDM, he lead an innovations and solutions team at Palo Alto Networks, working across many of the company's security products.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Incident Response Plan: Your 7-Step Process
Incident Response Plan: Your 7-Step Process
If organizations hope to minimize their exposure to attacks and mitigate any damage done by a threat, they must have a comprehensive incident response plan. An effective plan will detect, contain, and enable rapid recovery from security breaches, preserving your business continuity and operability. We've outlined seven incident response steps for you to follow so you can be prepared for a threat.
HIPAA Omnibus Rule: Everything You Need to Know
HIPAA Omnibus Rule: Everything You Need to Know
The HIPAA Omnibus Rule strengthens privacy and security protections for patient health information, extends liability to business associates, and increases penalties for non-compliance.
What Is Continuous Compliance? Examples & How To Achieve It
What Is Continuous Compliance? Examples & How To Achieve It
Continuous compliance is the ongoing process of ensuring that an organization consistently adheres to regulatory standards and internal policies for its systems, applications, employees, partners, and engagement with stakeholders. It involves continuous monitoring, auditing, and real-time updates of both technology and human behavior to maintain compliance with government and industry standards frameworks.
Cybersecurity Audit: The Ultimate Guide
Cybersecurity Audit: The Ultimate Guide for 2024
A cybersecurity audit is a comprehensive assessment of your organization's information systems, networks, and processes that identify vulnerabilities and weaknesses that cybercriminals could exploit. The audit also evaluates the effectiveness of your security controls, policies, and procedures and determines if they align with industry best practices and compliance standards.
How StrongDM Simplifies NIS2 Compliance for EU Organizations
How StrongDM Simplifies NIS2 Compliance for EU Organizations
The NIS2 Directive establishes comprehensive cybersecurity legislation across the European Union. Building upon its predecessor, the Network and Information Security (NIS) Directive, the goal of NIS2 is to standardize cybersecurity practices among EU Member States. Much like the General Data Protection Regulation (GDPR), NIS2 seeks to unify strategies and actions throughout the EU to fortify digital infrastructure against the escalating threat of cyberattacks.