Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

Tiers of HIPAA Violations: Civil vs Criminal

Healthcare Assessments

The Health Insurance Portability and Accountability Act (HIPAA) is an American law that establishes the standards for safeguarding the protected health information (PHI) of patients. Violations of HIPAA occur when there is unauthorized access, use, or disclosure of that sensitive data, and the related penalties aren’t just serious—they’re complicated as well.

Two different government agencies manage two different kinds of HIPAA violations—civil and criminal—and within those two categories are several tiers for both. 

To help simplify the details, we’re going to overview these different kinds of HIPAA violations. As HIPAA assessors, we’ve helped over 100 of our clients stay in compliance with this law in just the last year. We helped them avoid these penalties, and now we’re going to help you as well by providing more context.

While you’re likely trying to avoid any violation at all, knowing what’s truly at risk—from the smallest infringement to the biggest—can only help you in doing so.

What is a HIPAA Violation?

To commit a HIPAA violation is to fail to comply with any of the HIPAA rules and standards, and those potential violations can range widely and include things like:

  • Unauthorized access of PHI/ePHI
  • Delayed breach notifications
  • Failure to perform an organization-wide risk analysis
  • Failure to enter into a HIPAA-compliant business associate agreement
  • Wrongful disclosures of PHI
  • Failure to safeguard PHI
  • Failed or non-existent risk management processes, which can result in an actionable failure to manage security risks to a sufficient level
  • Failure to implement sufficient access controls

As patients can suffer serious harm from HIPAA violations, including identity theft or discrimination, the violations and their related consequences can be severe in both the civil and criminal tiers— though they too can range (making compliance with HIPAA all the more important).

What are the Civil Penalties for HIPAA Noncompliance?

Let’s start with civil violations, which are managed by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR)—they enforce HIPAA through regular audits, complaints, and investigations following a complaint or a breach.

When they happen, the OCR assesses the nature of a breach and investigates the possible weaknesses from noncompliance that could’ve caused said breach before issuing civil monetary penalties (CMP), corrective action plans (CAPs), and resolution agreements to ensure future HIPAA compliance.

As we mentioned before, the OCR follows a tiered penalty structure to assess the severity of the violation. Here is a breakdown of civil violations and their related, proportional penalties:

Tier

Context of Violation

Examples

Penalty
(Per Violation)

Tier 1:

Lack of knowledge

 

This is an unintentional violation of privacy or security that may be caused by carelessness, lack of knowledge or training, or other human error.

The covered entity or business associate was unaware of and, through due diligence, could not have known the HIPAA rule was violated.

  • Sending PHI via unencrypted email to the wrong party or failing to log out of an application accessing PHI
  • An unlocked computer left on an unattended desk
  • Talking about PHI in public places of the organization, such as in elevators or cafeterias
  • Mailing bills and statements to incorrect addresses

Minimum: $127


Maximum: $63,973


Calendar-year cap: $1,919,173 *

Tier 2:

Reasonable cause and not willful neglect

 

The organization knew or should have known through due diligence that its action (or omission) violated HIPAA, but the violation was not caused by willful neglect.

(i.e., when PHI is carelessly accessed or released by an employee.)

Demonstrates disregard for HIPAA regulation and/or internal policies and procedures but falls short of willful neglect.

  • Releasing PHI without proper patient authorization.
  • Accessing PHI without a need to know
  • Failure to dispose of PHI properly

Minimum: $1,280

Maximum: $63,973

Calendar-year cap: $1,919,173*

Tier 3:

Willful neglect, corrected within 30 days

 

A breach was caused by willful neglect, but the organization took corrective action within 30 days.

  • Having an unencrypted laptop stolen, but also taking action to ensure that all laptops were encrypted within 30 days following the theft.

Minimum: $12,794

Maximum: $63,973

Calendar-year cap: $1,919,173*

Tier 4:

Willful neglect, not corrected within 30 days

 

A breach occurred due to willful neglect, and the organization made no efforts to correct the violation in a reasonable time frame.

Demonstrates systemic non-compliance with the HIPAA rules.

  • Failure to conduct risk assessments
  • Failure to implement risk management plans
  • Failure to implement audit controls.

Minimum: $63,973

Maximum: $1,919,173

Calendar-year cap: $1,919,173* 

* The calendar-year cap applies only to violations of a single HIPAA provision in a calendar year. So, if you violate multiple provisions, the cap applies to each provision for each calendar year you violated that provision. 

To further illustrate this, say you failed to conduct an annual risk assessment and did not implement a risk management process in place for three years—that would mean you violated two separate provisions over 3 years and your total fine could reach as much as $11.5M. 

Insofar as how the OCR calculates HIPAA violation fines, they will consider the following factors before coming to their final number:

  • The number of individuals affected
  • Organization’s history of prior compliance or non-compliance
  • Size of the organization

What are the Criminal Penalties for HIPAA Noncompliance?

And that’s just in the civil category. When it comes to the other side of HIPAA violations and penalties, the game changes a bit.

Not only are there only three tiers to criminal penalties, but the Department of Justice (DOJ) manages these prosecutions of HIPAA violations, rather than the OCR.

A judge determines the penalties based on the three categories of criminal violations, and these consequences can range from fines to jail time depending on the severity of the violation:

Tier

Context of Violation

Example

Maximum Penalty

Tier 1:

Wrongful disclosure of PHI

The lowest-level violation. Covers cases of:

  • Reasonable cause, in which the individual should have known better; and
  • Lack of knowledge, where the individual did not know they violated a rule.

The DOJ does not acknowledge ignorance of HIPAA regulations as an excuse for violating HIPAA rules because all covered entities are responsible for compliance.

A behavioral health analyst working with autistic individuals stole the PHI of over 300 patients. The analyst was sentenced to 30 days in jail, 3 years of supervised release, $14,900 in restitution.

  • Up to $50,000 in fines
  • Up to one year in prison
  • Or both

Tier 2:

Wrongful disclosure of PHI under false pretenses

Includes obtaining PHI under false pretenses or disclosing it without permission.

For example, a hospital employee cannot access the records of patients who are not under their care.

A healthcare worker accessed her ex-boyfriend’s PHI who was being treated at the hospital where she worked, took a picture of his records, and shared it with another person outside of the organization.

As he was not a patient of hers, she should not have had access to his medical records at all. Having known what she was doing, she was sentenced to 5 years’ probation and given a $1,000 fine. She can no longer work for any organization that deals with the PHI of other people.

  • Up to $100,000 in fines
  • Up to five years in prison
  • Or both

Tier 3:

Wrongful disclosure of PHI under false pretenses with malicious intent

The most severe violation.

The individual who commits the crime wrongfully obtains PHI with the intent to sell, transfer, or use the data for personal gain, commercial advantage, or malicious harm. 

An administrator of a medical clinic in Florida sought out and collected patient identifying information such as DOBs and SS# to steal their identities. She then sold the identities for a profit or defrauded businesses herself using the identities.

The administrator pled guilty to wire fraud and identity theft and was thereby sentenced to 20 years in jail for wire fraud along with a consecutive 2-year term for the identity theft.

  • Up to $250,000
  • Ten years in prison
  • Or both

Moving Forward in Your HIPAA Compliance

For those of you health plans, healthcare clearinghouses, and healthcare providers—among other covered entities and relevant business associates that need to be HIPAA-compliant—you’ve likely read all that and are thinking Bruce Barton was right. There are no “small” violations, especially when it’s also possible to incur civil AND criminal penalties at the same time.

Now that you know what could happen if you fell out of compliance, it becomes that much more important to ensure you stay within the regulations. If you’re interested in taking steps to remain compliant through a HIPAA assessment that can help you determine where your controls stand, check out our other content that can help you understand what you’d be getting into:

If you've already decided that an attestation is what you need but still have some specific questions regarding your organization, please feel free to contact us as well. Our team of experienced assessors would be happy to clear up any concerns so that you feel more comfortable moving forward.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.