Tiers of HIPAA Violations: Civil vs Criminal
American everyman Bruce Barton once said: “Sometimes when I consider what tremendous consequences come from little things. I am tempted to think there are no little things.”
Bruce died in 1967—well before the passage of HIPAA—but his mindset remains applicable even today when it comes to the Health Insurance Portability and Accountability Act. If you violate HIPAA, the consequences for such suggest that there are no small missteps.
The penalties for HIPAA violations aren’t just serious—they’re complicated as well. Two different government agencies manage two different kinds of violations—civil and criminal—and within those two categories are several tiers for both.
To help simplify the details, we’re going to overview these different kinds of HIPAA violations. As HIPAA assessors, we’ve helped over 100 of our clients stay in compliance with this law in just the last year. We helped them avoid these penalties, and now we’re going to help you as well by providing more context.
While you’re likely trying to avoid any violation at all, knowing what’s truly at risk—from the smallest infringement to the biggest—can only help you in doing so.
What are the Civil Penalties for HIPAA Noncompliance?
Let’s start with civil violations, which are managed by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR)—they enforce HIPAA through regular audits, complaints, and investigations following a complaint or a breach.
When they happen, the OCR assesses the nature of a breach and investigates the possible weaknesses from noncompliance that could’ve caused said breach before issuing civil monetary penalties (CMP), corrective action plans (CAPs), and resolution agreements to ensure future HIPAA compliance.
As we mentioned before, the OCR follows a tiered penalty structure to assess the severity of the violation. Here is a breakdown of civil violations and their related, proportional penalties:
* The calendar-year cap applies only to violations of a single HIPAA provision in a calendar year. So, if you violate multiple provisions, the cap applies to each provision for each calendar year you violated that provision.
To further illustrate this, say you failed to conduct an annual risk assessment and did not implement a risk management process in place for three years—that would mean you violated two separate provisions over 3 years and your total fine could reach as much as $11.5M.
Insofar as how the OCR calculates their fines, they will consider the following factors before coming to their final number:
- The number of individuals affected
- Organization’s history of prior compliance or non-compliance
- Size of the organization
What are the Criminal Penalties for HIPAA Noncompliance?
And that’s just in the civil category. When it comes to the other side of HIPAA violations and penalties, the game changes a bit.
Not only are there only three tiers to criminal penalties, but the Department of Justice (DOJ) manages these prosecutions of HIPAA violations, rather than the OCR.
A judge determines the penalties based on the three categories of criminal violations, and these consequences can range from fines to jail time depending on the severity of the violation:
Moving Forward in Your HIPAA Compliance
For those of you health plans, healthcare clearinghouses, and healthcare providers—among other covered entities and relevant business associates that need to be HIPAA-compliant—you’ve likely read all that and are thinking Bruce Barton was right. There are no “small” violations, especially when it’s also possible to incur civil AND criminal penalties at the same time.
Now that you know what could happen if you fell out of compliance, it becomes that much more important to ensure you stay within the regulations. If you’re interested in taking steps to remain compliant through a HIPAA assessment that can help you determine where your controls stand, check out our other content that can help you understand what you’d be getting into:
- The Cost of a HIPAA Assessment
- What Is The HIPAA Audit Process?
- The Differences Between HIPAA and HITRUST
If you've already decided that an attestation is what you need but still have some specific questions regarding your organization, please feel free to contact us as well. Our team of experienced assessors would be happy to clear up any concerns so that you feel more comfortable moving forward.
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.