What Is the Fine for a HIPAA Violation?

In 2018, Anthem experienced the largest health data breach ever known when cyberattacks leaked over 79 million people’s information. 

The incident cost Anthem $16 million. 

HIPAA regulations seriously approached topics in healthcare and law. One violation can cost companies and individuals dearly. 

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was put into effect in 1996. It protects patients’ medical records, makes it easier for individuals to use their health insurance at a variety of locations and allows streamlined sharing of data. 

When HIPAA rules are not followed, a violation occurs. The fines are determined by the violation’s severity. 

Patients who suffered from a HIPAA violation may seek monetary damages for HIPAA violation offenses. Although they cannot sue, they can take legal actions against healthcare providers and other entities.  

HIPAA Violation Tiers

To accurately reflect the severity of the violation that occurs, there is a civil and criminal penalty tier system. The Office for Civil Rights (OCR) and the Department of Justice (DOJ) are in charge of civil and criminal offenses, respectively. 

The Civil Tier System

The severity of civil violations is broken into four tiers. 

First-tier incidents occur when an entity has no knowledge of the breach in regulations. Even with due diligence, the organization or company could not have known the regulations were violated. A tier one offense requires entities pay $100 to $50,000 per violation with a maximum penalty of $25,000 in a year. 

The second tier involves situations where a party knew or, with due diligence, should have known about the violation. Fines include $1,000 to $50,000 per violation with a cap at $100,000 per year. 

In the third tier, a company willfully neglected HIPAA rules. Organizations must correct the violation within 30 days of discovering it. This violation results in fines ranging from $10,000 to $50,000 per case with a yearly total of no more than $250,000. 

The fourth and final tier is categorized by a willful neglect of HIPAA regulations without any efforts to correct the violation. Organizations receive penalties of $50,000 per case with a maximum penalty of $1.5 million per year. 

The Criminal Tier System

Specific entities and individuals may also face criminal charges. 

If an individual or covered entity was not aware and had no way of knowing they violated HIPAA, they face up to one year in prison and a maximum fine of $50,000. 

If the rules are broken under false pretenses, parties face up to 5 years in prison and $100,000 in fines. 

When information is leaked or stolen for malicious purposes or personal gain, the punishment rises to up to 10 years in prison and $250,000 in fines. 

Reporting Violations

Patients trust healthcare providers with their personal information, and when this trust is disregarded, severe consequences occur. If you need to report a HIPAA violation, use the Complaint Portal Assistant on the OCR’s website.