What Happens If You Violate HIPAA Law?

The HIPAA law provides a detailed penalty scheme for the law’s violations. The law provides for monetary penalties for noncompliance. These penalties are issued by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). As of 2009, State Attorneys General may bring civil actions for HIPAA violations, on behalf of state residents. The subject of what happens if you violate HIPAA law is discussed in greater detail below.

What Happens If You Violate HIPAA Law? Civil Monetary Penalties

OCR can impose civil monetary penalties for HIPAA violations that occurred on or after February 18, 2009. The penalty structure is changed each year to account for inflation. There are four penalty tiers, ranging from least severe violation to most severe violation.

What Happens If You Violate HIPAA Law? The Four-Tier Penalty Structure

Tier 1 is the “No Knowledge” Tier. Under this tier, an organization did not know (and, by exercising reasonable diligence, would not have known) that a member of its workforce violated a HIPAA provision.

Tier 2 is the “Reasonable Cause” Tier. Under this tier, the violation was due to reasonable cause, not willful neglect. “Reasonable Cause” means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated a HIPAA regulation. However, the act or omission was not due to willful neglect.

Tiers 3 and 4 both involve the concept of willful neglect. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the HIPAA provision that was violated.

Tier 3 is the “Willful Neglect – Corrected” tier. In this tier, the violation is due to willful neglect, but the violation is timely corrected.

Tier 4 is the “Willful Neglect – Not Corrected” tier. In this tier, the violation is due to willful neglect, and is not timely corrected.

What Happens If You Violate HIPAA Law? The Tier Dollar Penalties

Each tier has a corresponding civil monetary penalty. For each tier, there is a minimum penalty per violation, a maximum penalty per violation, and a maximum penalty.

Tier 1:

Minimum Penalty per Violation: $117

Maximum Penalty per Violation: $58,490

New Maximum Annual Penalty: $1,754,698

Tier 2:

Minimum Penalty per Violation: $1,170

Maximum Penalty per Violation: $58,490

New Maximum Annual Penalty: $1,754,698

Tier 3:

Minimum Penalty per Violation: $11,698

Maximum Penalty per Violation: $58,490

New Maximum Annual Penalty: $1,754,698

Tier 4:

Minimum Penalty per Violation: $58,490

Maximum Penalty per Violation: $1,754,698

New Maximum Annual Penalty: $1,754,698

Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.

What Happens If You Violate HIPAA Law? State Attorneys General May Sue

State Attorneys General may enforce HIPAA. When an Attorney General of a state has reason to believe state residents have been threatened or adversely affected by a violation, the Attorney General may sue the violator in federal court. The suit is on behalf of the residents. In a successful lawsuit, an Attorney General may be awarded an injunction (an order prohibiting the violator from committing another violation), and/or money damages on behalf of the residents. State Attorneys General can also request that the judge hearing the case impose a corrective action plan (CAP) on the violator. A corrective action plan requires a violator’s compliance to be monitored going forward. State Attorneys General were initially reluctant to use the authority given to them in 2009 by HHS to file suit. Recently, however, a number of State Attorney Generals have filed suit on behalf of their residents, seeking damages. Several recent cases have involved Attorneys General joining together to file suits against a violator. The first such suit was filed in December of 2018. In that case, 12 state Attorneys General sued a Fort Wayne, Indiana business associate, Medical Informatics Engineering Inc., over a 2015 data breach during which hackers accessed the personal patient information of more than 3.9 million individuals stored in an electronic medical records database for dozens of institutions.