Failure to comply with HIPAA is expensive and can even result in jail time.
In a nutshell, fines increase with the number of patients and the amount of neglect. One end of the spectrum is “Reasonable Cause,” i.e., even after exercising reasonable diligence, you still wouldn’t have known that you violated a HIPAA provision. On the other end of the spectrum is “Willful Neglect,” in which a security breach is due to negligence and not corrected within 30 days. Reasonable Cause ranges from $100 to $50,000 per incident and doesn’t involve jail time, whereas Willful Neglect ranges from $10,000 to $50,000 per incident and can result in criminal charges.
Civil Penalties
The “American Recovery and Reinvestment Act of 2009”(ARRA) that was signed into law on February 17, 2009, established a tiered civil penalty structure for HIPAA violations (see below). The Secretary of the Department of Health and Human Services (HHS) still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.
| HIPAA Violation | Minimum Penalty | Maximum Penalty |
| Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA | $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) | $50,000 per violation, with an annual maximum of $1.5 million |
| HIPAA violation due to reasonable cause and not due to willful neglect | $1,000 per violation, with an annual maximum of $100,000 for repeat violations | $50,000 per violation, with an annual maximum of $1.5 million |
| HIPAA violation due to willful neglect but violation is corrected within the required time period | $10,000 per violation, with an annual maximum of $250,000 for repeat violations | $50,000 per violation, with an annual maximum of $1.5 million |
| HIPAA violation is due to willful neglect and is not corrected | $50,000 per violation, with an annual maximum of $1.5 million | $50,000 per violation, with an annual maximum of $1.5 million |
Criminal Penalties
In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom “knowingly” obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
Real Examples of HIPAA Violations
| Entity Fined | Fine | Violation |
| CIGNET | $4,300,000 | Online database application error. |
| Alaska Department of Health and Human Services | $1,700,000 | Unencrypted USB hard drive stolen, poor policies and risk analysis. |
| WellPoint | $1,700,000 | Did not have technical safeguards in place to verify the person/entity seeking access to PHI in the database. Failed to conduct a tech eval in response to software upgrade. |
| Blue Cross Blue Shield of Tennessee | $1,500,000 | 57 unencrypted hard drives stolen. |
| Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates | $1,500,000 | Unencrypted laptop stolen, poor risk analysis, policies. |
| Affinity Health Plan | $1,215,780 | Returned photocopiers without erasing the hard drives. |
| South Shore Hospital | $750,000 | Backup tapes went missing on the way to contractor. |
| Idaho State University | $400,000 | Breach of unsecured ePHI. |
| Shasta Regional Medical Center | $275,000 | Inadequate safeguarding of PHI from impermissible uses and disclosures. |
| Phoenix Cardiac Surgery | $100,000 | Internet calendar, poor policies, training. |
| The Hospice of Northern Idaho | $50,000 | Breach of unsecured ePHI. Unencrypted laptop stolen, no risk analysis. |
What Constitutes a HIPAA Violation?
- Unencrypted Data
The vast majority of data breaches are due to stolen or lost data that was unencrypted.
- Employee Error
Breaches can occur when employees lose unencrypted portable devices, mistakenly send PHI to vendors who post that information online, and disclose personally identifiable, sensitive information on social networks.
- Data Stored on Devices
Almost half of all data breaches are the result of theft, and risk of a security breach increases considerably when information stored on laptops, smartphones and tables are not encrypted.
- Business Associates
Almost two-thirds of data breaches involved a business associate. While your organization might comply with HIPAA, it does not mean that your partners do.
Lesson Learned: Don’t Violate HIPAA
While becoming HIPAA compliant can be costly and time consuming, failure to comply with HIPAA is doubly so. Aside from the actual cost of penalties and fines, a HIPAA violation can also destroy an organization’s reputation beyond repair.
How do I become HIPAA compliant? Read next week’s blog post or download our whitepaper.