HIPAA Penalties for Noncompliance

The U.S Department of Health & Human Services (HHS) oversees and administers HIPAA standards. The office conducts investigations and compliance reviews to ensure that the standards are being followed. HHS will assist providers in understanding the regulations to ensure compliance of the rules. There are two types of penalties for noncompliance of HIPAA, civil and criminal.

The civil penalties for noncompliance are based on many factors. Violations occurring prior to February 18, 2009, have different monetary values than if the violation occurred after that date. The provider's knowledge or foreseen knowledge of the violation and whether the provisions of HIPAA were willfully violated determine the civil monetary penalty. The penalty for violations prior to February 18, 2009, is $100 per violation with a $25,000 year maximum. For violations on or after February 18, 2009, the fine is $100 to $50,000 or more per violation, with a $1.5 million maximum. Penalties will not be imposed if HHS finds that the violation was not intentional and was corrected within 30 days or if the department has assessed a criminal penalty.

Criminal penalties are handled by the U.S. Department of Justice. Anyone who is intentionally in violation of the privacy rule can face up to one year in prison and up to a $50,000 fine. Penalties increase to up to five years prison time and up to a fine of $100,000 for violations that involve false pretenses, and up to 10 years prison time and up to a $250,000 fine if the violation involves the transferring of health information for profit or intentional harm.