Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Articles
Articles
Whitepapers
Whitepapers
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility

HIPAA Violations & Penalties: Civil vs. Criminal

HIPAA | Healthcare

American everyman Bruce Barton once said: “Sometimes when I consider what tremendous consequences come from little things. I am tempted to think there are no little things.”

Bruce died in 1967—well before the passage of HIPAA—but his mindset remains applicable even today when it comes to the Health Insurance Portability and Accountability Act. If you violate HIPAA, the consequences for such suggest that there are no small missteps.

The penalties for HIPAA violations aren’t just serious—they’re complicated as well. Two different government agencies manage two different kinds of violations—civil and criminal—and within those two categories are several tiers for both.

To help simplify the details, we’re going to overview these different kinds of HIPAA violations. As HIPAA assessors, we’ve helped over 100 of our clients stay in compliance with this law in just the last year. We helped them avoid these penalties, and now we’re going to help you as well by providing more context.

While you’re likely trying to avoid any violation at all, knowing what’s truly at risk—from the smallest infringement to the biggest—can only help you in doing so.

What are the Civil Penalties for HIPAA Noncompliance?

Let’s start with civil violations, which are managed by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR)—they enforce HIPAA through regular audits, complaints, and investigations following a complaint or a breach.

When they happen, the OCR assesses the nature of a breach and investigates the possible weaknesses from noncompliance that could’ve caused said breach before issuing civil monetary penalties (CMP), corrective action plans (CAPs), and resolution agreements to ensure future HIPAA compliance.

As we mentioned before, the OCR follows a tiered penalty structure to assess the severity of the violation. Here is a breakdown of civil violations and their related, proportional penalties:

HIPAA Penalties Civil vs. Criminal Tables 1-1

* The calendar-year cap applies only to violations of a single HIPAA provision in a calendar year. So, if you violate multiple provisions, the cap applies to each provision for each calendar year you violated that provision. 

To further illustrate this, say you failed to conduct an annual risk assessment and did not implement a risk management process in place for three years—that would mean you violated two separate provisions over 3 years and your total fine could reach as much as $11.5M. 

Insofar as how the OCR calculates their fines, they will consider the following factors before coming to their final number:

  • The number of individuals affected
  • Organization’s history of prior compliance or non-compliance
  • Size of the organization

What are the Criminal Penalties for HIPAA Noncompliance?

And that’s just in the civil category. When it comes to the other side of HIPAA violations and penalties, the game changes a bit.

Not only are there only three tiers to criminal penalties, but the Department of Justice (DOJ) manages these prosecutions of HIPAA violations, rather than the OCR.

A judge determines the penalties based on the three categories of criminal violations, and these consequences can range from fines to jail time depending on the severity of the violation:

HIPAA Penalties Civil vs. Criminal Tables 2 (002)-1

Moving Forward in Your HIPAA Compliance

For those of you health plans, healthcare clearinghouses, and healthcare providers—among other covered entities and relevant business associates that need to be HIPAA-compliant—you’ve likely read all that and are thinking Bruce Barton was right. There are no “small” violations, especially when it’s also possible to incur civil AND criminal penalties at the same time.

Now that you know what could happen if you fell out of compliance, it becomes that much more important to ensure you stay within the regulations. If you’re interested in taking steps to remain compliant through a HIPAA assessment that can help you determine where your controls stand, check out our other content that can help you understand what you’d be getting into:

If you've already decided that an attestation is what you need but still have some specific questions regarding your organization, please feel free to contact us as well. Our team of experienced assessors would be happy to clear up any concerns so that you feel more comfortable moving forward.

About Kellie Worley

Kellie Worley is a Senior Associate with Schellman. Prior to joining the firm, she was a HIPAA Compliance Consultant at Clearwater and served as AVP of Compliance and Privacy Officer for a hospital company with facilities across the U.S.. Having previously operated as Privacy Officer in other healthcare organizations, she has 20+ years experience in healthcare compliance .