866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Tiers of HIPAA Violations: Civil vs Criminal Blog Feature

By: Schellman

Print/Save as PDF

Tiers of HIPAA Violations: Civil vs Criminal

Healthcare Assessments

Published: Aug 3, 2022

Last Updated: Nov 16, 2023

The Health Insurance Portability and Accountability Act (HIPAA) is an American law that establishes the standards for safeguarding the protected health information (PHI) of patients. Violations of HIPAA occur when there is unauthorized access, use, or disclosure of that sensitive data, and the related penalties aren’t just serious—they’re complicated as well.

Two different government agencies manage two different kinds of HIPAA violations—civil and criminal—and within those two categories are several tiers for both. 

To help simplify the details, we’re going to overview these different kinds of HIPAA violations. As HIPAA assessors, we’ve helped over 100 of our clients stay in compliance with this law in just the last year. We helped them avoid these penalties, and now we’re going to help you as well by providing more context.

While you’re likely trying to avoid any violation at all, knowing what’s truly at risk—from the smallest infringement to the biggest—can only help you in doing so.

What is a HIPAA Violation?

To commit a HIPAA violation is to fail to comply with any of the HIPAA rules and standards, and those potential violations can range widely and include things like:

  • Unauthorized access of PHI/ePHI
  • Delayed breach notifications
  • Failure to perform an organization-wide risk analysis
  • Failure to enter into a HIPAA-compliant business associate agreement
  • Wrongful disclosures of PHI
  • Failure to safeguard PHI
  • Failed or non-existent risk management processes, which can result in an actionable failure to manage security risks to a sufficient level
  • Failure to implement sufficient access controls

As patients can suffer serious harm from HIPAA violations, including identity theft or discrimination, the violations and their related consequences can be severe in both the civil and criminal tiers— though they too can range (making compliance with HIPAA all the more important).

What are the Civil Penalties for HIPAA Noncompliance?

Let’s start with civil violations, which are managed by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR)—they enforce HIPAA through regular audits, complaints, and investigations following a complaint or a breach.

When they happen, the OCR assesses the nature of a breach and investigates the possible weaknesses from noncompliance that could’ve caused said breach before issuing civil monetary penalties (CMP), corrective action plans (CAPs), and resolution agreements to ensure future HIPAA compliance.

As we mentioned before, the OCR follows a tiered penalty structure to assess the severity of the violation. Here is a breakdown of civil violations and their related, proportional penalties:

Tier

Context of Violation

Examples

Penalty
(Per Violation)

Tier 1:

Lack of knowledge

 

This is an unintentional violation of privacy or security that may be caused by carelessness, lack of knowledge or training, or other human error.

The covered entity or business associate was unaware of and, through due diligence, could not have known the HIPAA rule was violated.
  • Sending PHI via unencrypted email to the wrong party or failing to log out of an application accessing PHI
  • An unlocked computer left on an unattended desk
  • Talking about PHI in public places of the organization, such as in elevators or cafeterias
  • Mailing bills and statements to incorrect addresses

Minimum: $127


Maximum: $63,973


Calendar-year cap: $1,919,173 *

Tier 2:

Reasonable cause and not willful neglect

 

The organization knew or should have known through due diligence that its action (or omission) violated HIPAA, but the violation was not caused by willful neglect.

(i.e., when PHI is carelessly accessed or released by an employee.)

Demonstrates disregard for HIPAA regulation and/or internal policies and procedures but falls short of willful neglect.
  • Releasing PHI without proper patient authorization.
  • Accessing PHI without a need to know
  • Failure to dispose of PHI properly

Minimum: $1,280

Maximum: $63,973

Calendar-year cap: $1,919,173*

Tier 3:

Willful neglect, corrected within 30 days

 

A breach was caused by willful neglect, but the organization took corrective action within 30 days.
  • Having an unencrypted laptop stolen, but also taking action to ensure that all laptops were encrypted within 30 days following the theft.

Minimum: $12,794

Maximum: $63,973

Calendar-year cap: $1,919,173*

Tier 4:

Willful neglect, not corrected within 30 days

 

A breach occurred due to willful neglect, and the organization made no efforts to correct the violation in a reasonable time frame.

Demonstrates systemic non-compliance with the HIPAA rules.
  • Failure to conduct risk assessments
  • Failure to implement risk management plans
  • Failure to implement audit controls.

Minimum: $63,973

Maximum: $1,919,173

Calendar-year cap: $1,919,173* 

* The calendar-year cap applies only to violations of a single HIPAA provision in a calendar year. So, if you violate multiple provisions, the cap applies to each provision for each calendar year you violated that provision. 

To further illustrate this, say you failed to conduct an annual risk assessment and did not implement a risk management process in place for three years—that would mean you violated two separate provisions over 3 years and your total fine could reach as much as $11.5M. 

Insofar as how the OCR calculates HIPAA violation fines, they will consider the following factors before coming to their final number:

  • The number of individuals affected
  • Organization’s history of prior compliance or non-compliance
  • Size of the organization

What are the Criminal Penalties for HIPAA Noncompliance?

And that’s just in the civil category. When it comes to the other side of HIPAA violations and penalties, the game changes a bit.

Not only are there only three tiers to criminal penalties, but the Department of Justice (DOJ) manages these prosecutions of HIPAA violations, rather than the OCR.

A judge determines the penalties based on the three categories of criminal violations, and these consequences can range from fines to jail time depending on the severity of the violation:

Tier

Context of Violation

Example

Maximum Penalty

Tier 1:

Wrongful disclosure of PHI

The lowest-level violation. Covers cases of:

  • Reasonable cause, in which the individual should have known better; and
  • Lack of knowledge, where the individual did not know they violated a rule.

The DOJ does not acknowledge ignorance of HIPAA regulations as an excuse for violating HIPAA rules because all covered entities are responsible for compliance.

A behavioral health analyst working with autistic individuals stole the PHI of over 300 patients. The analyst was sentenced to 30 days in jail, 3 years of supervised release, $14,900 in restitution.
  • Up to $50,000 in fines
  • Up to one year in prison
  • Or both

Tier 2:

Wrongful disclosure of PHI under false pretenses

Includes obtaining PHI under false pretenses or disclosing it without permission.

For example, a hospital employee cannot access the records of patients who are not under their care.

A healthcare worker accessed her ex-boyfriend’s PHI who was being treated at the hospital where she worked, took a picture of his records, and shared it with another person outside of the organization.

As he was not a patient of hers, she should not have had access to his medical records at all. Having known what she was doing, she was sentenced to 5 years’ probation and given a $1,000 fine. She can no longer work for any organization that deals with the PHI of other people.
  • Up to $100,000 in fines
  • Up to five years in prison
  • Or both

Tier 3:

Wrongful disclosure of PHI under false pretenses with malicious intent

The most severe violation.

The individual who commits the crime wrongfully obtains PHI with the intent to sell, transfer, or use the data for personal gain, commercial advantage, or malicious harm. 

An administrator of a medical clinic in Florida sought out and collected patient identifying information such as DOBs and SS# to steal their identities. She then sold the identities for a profit or defrauded businesses herself using the identities.

The administrator pled guilty to wire fraud and identity theft and was thereby sentenced to 20 years in jail for wire fraud along with a consecutive 2-year term for the identity theft.
  • Up to $250,000
  • Ten years in prison
  • Or both

Moving Forward in Your HIPAA Compliance

For those of you health plans, healthcare clearinghouses, and healthcare providers—among other covered entities and relevant business associates that need to be HIPAA-compliant—you’ve likely read all that and are thinking Bruce Barton was right. There are no “small” violations, especially when it’s also possible to incur civil AND criminal penalties at the same time.

Now that you know what could happen if you fell out of compliance, it becomes that much more important to ensure you stay within the regulations. If you’re interested in taking steps to remain compliant through a HIPAA assessment that can help you determine where your controls stand, check out our other content that can help you understand what you’d be getting into:

If you've already decided that an attestation is what you need but still have some specific questions regarding your organization, please feel free to contact us as well. Our team of experienced assessors would be happy to clear up any concerns so that you feel more comfortable moving forward.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.