HIPAA Rules

Software for HIPAA

Other Resources

Last updated


HIPAA Enforcement Rule and Violations

The HIPAA Enforcment Rule stems directly from the HITECH Act provisions that distinguishes between violations occurring before, and on or after the compliance date "with respect to the potential amount of civil money penalty and the affirmative defense available to covered entities," according to the rule.

HITECH describes "improvements" to existing HIPAA law, covered entities, business associates and others will be subject to more rigorous standards when it comes to protected health information (PHI) The HITECH Act expands the scope of the HIPAA Privacy and Security Rules and increases the penalties for HIPAA violations.

Specificially, the HITECH Act addresses five main areas of the HIPAA regulations:

Applies the same HIPAA privacy and security requirements (and penalties) for covered entities to business associates

Establishes mandatory federal privacy and security breach reporting requirements for HIPAA covered entities and business associates

Creates new privacy requirements for HIPAA covered entities and business associates, including new accounting disclosure requirements and restrictions on sales and marketing

Establishes new criminal and civil penalties for HIPAA non-compliance and new enforcement methods

Mandates that the new security requirements must be incorporated into all Business Associate contracts



HIPAA Violations

The four categories used for the penalty structure for HIPAA violations are as follows:

Category 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA rules

Category 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care - but falling short of willful neglect of HIPAA rules

Category 3: A violation suffered as a direct result of "willful neglect" of HIPAA rules, in cases where an attempt has been made to correct the violation

Category 4: A violation of HIPAA rules constituting willful neglect, where no attempt has been made to correct the violation


HIPAA Penalty Fines

Each category of violation carries a separate HIPAA penalty, as follows:

Category 1: Minimum fine of $100 per violation up to $50,000

Category 2: Minimum fine of $1,000 per violation up to $50,000

Category 3: Minimum fine of $10,000 per violation up to $50,00

Category 4: Minimum fine of $50,000 per violation

Fines are issued per violation category per year that the violation was allowed to persist. The maximum fine per violation category per year is $1,500,000.


HIPAA Criminal Penalties

Criminal HIPAA violations are prosecuted by the Department of Justice, and are based on a 3-tier system:

Tier 1: Reasonable cause or no knowledge of violation - Up to 1 year in prison

Tier 2: Obtaining PHI under false pretenses - Up to 5 years in prison

Tier 3: Obtaining PHI for personal gain or with malicious intent - Up to 10 years in prison

State attorneys general are cracking down on data theft and are likely to make examples out of individuals found to have violated HIPAA Privacy Rules. A prison term for the theft of HIPAA data is therefore highly likely. All work staff likely to come into contact with PHI as part of their duties should be informed of the HIPAA criminal penalties.