Contact a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
Build Your Compliance Roadmap
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
View All Industry Solutions
Learning Center
Articles
Whitepapers
Case Studies
Events & Live Webinars
On-Demand Webinars
Visit the Learning Center
Our Process
About Us
Leadership Team
Careers
Corporate Social Responsibility
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Visit the Learning Center
Articles
Articles
Whitepapers
Whitepapers
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
Our Process
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Contact a Specialist

«  View All Posts

HIPAA Violations & Penalties: Civil vs. Criminal Blog Feature
Kellie Worley

By: Kellie Worley

Print/Save as PDF

HIPAA Violations & Penalties: Civil vs. Criminal

HIPAA | Healthcare

American everyman Bruce Barton once said: “Sometimes when I consider what tremendous consequences come from little things. I am tempted to think there are no little things.”

Bruce died in 1967—well before the passage of HIPAA—but his mindset remains applicable even today when it comes to the Health Insurance Portability and Accountability Act. If you violate HIPAA, the consequences for such suggest that there are no small missteps.

The penalties for HIPAA violations aren’t just serious—they’re complicated as well. Two different government agencies manage two different kinds of violations—civil and criminal—and within those two categories are several tiers for both.

To help simplify the details, we’re going to overview these different kinds of HIPAA violations. As HIPAA assessors, we’ve helped over 100 of our clients stay in compliance with this law in just the last year. We helped them avoid these penalties, and now we’re going to help you as well by providing more context.

While you’re likely trying to avoid any violation at all, knowing what’s truly at risk—from the smallest infringement to the biggest—can only help you in doing so.

What are the Civil Penalties for HIPAA Noncompliance?

Let’s start with civil violations, which are managed by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR)—they enforce HIPAA through regular audits, complaints, and investigations following a complaint or a breach.

When they happen, the OCR assesses the nature of a breach and investigates the possible weaknesses from noncompliance that could’ve caused said breach before issuing civil monetary penalties (CMP), corrective action plans (CAPs), and resolution agreements to ensure future HIPAA compliance.

As we mentioned before, the OCR follows a tiered penalty structure to assess the severity of the violation. Here is a breakdown of civil violations and their related, proportional penalties:

HIPAA Penalties Civil vs. Criminal Tables 1-1

* The calendar-year cap applies only to violations of a single HIPAA provision in a calendar year. So, if you violate multiple provisions, the cap applies to each provision for each calendar year you violated that provision. 

To further illustrate this, say you failed to conduct an annual risk assessment and did not implement a risk management process in place for three years—that would mean you violated two separate provisions over 3 years and your total fine could reach as much as $11.5M. 

Insofar as how the OCR calculates their fines, they will consider the following factors before coming to their final number:

  • The number of individuals affected
  • Organization’s history of prior compliance or non-compliance
  • Size of the organization

What are the Criminal Penalties for HIPAA Noncompliance?

And that’s just in the civil category. When it comes to the other side of HIPAA violations and penalties, the game changes a bit.

Not only are there only three tiers to criminal penalties, but the Department of Justice (DOJ) manages these prosecutions of HIPAA violations, rather than the OCR.

A judge determines the penalties based on the three categories of criminal violations, and these consequences can range from fines to jail time depending on the severity of the violation:

HIPAA Penalties Civil vs. Criminal Tables 2 (002)-1

Moving Forward in Your HIPAA Compliance

For those of you health plans, healthcare clearinghouses, and healthcare providers—among other covered entities and relevant business associates that need to be HIPAA-compliant—you’ve likely read all that and are thinking Bruce Barton was right. There are no “small” violations, especially when it’s also possible to incur civil AND criminal penalties at the same time.

Now that you know what could happen if you fell out of compliance, it becomes that much more important to ensure you stay within the regulations. If you’re interested in taking steps to remain compliant through a HIPAA assessment that can help you determine where your controls stand, check out our other content that can help you understand what you’d be getting into:

If you've already decided that an attestation is what you need but still have some specific questions regarding your organization, please feel free to contact us as well. Our team of experienced assessors would be happy to clear up any concerns so that you feel more comfortable moving forward.

About Kellie Worley

Kellie Worley is a Senior Associate with Schellman. Prior to joining the firm, she was a HIPAA Compliance Consultant at Clearwater and served as AVP of Compliance and Privacy Officer for a hospital company with facilities across the U.S.. Having previously operated as Privacy Officer in other healthcare organizations, she has 20+ years experience in healthcare compliance .

Schellman

4010 W Boy Scout Boulevard, Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S. 1.813.288.8833

Services
Industries
Resources
Company

© SchellmanPrivacy PolicyTerms

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.