Consequences of HIPAA Violations

Civil Penalties

• A civil penalty of HIPAA is considered a violation that occurred through unknowingly divulging patient information. This type of violation has several levels of severity. The least severe is when a person divulges information unknowingly even though he was working to prevent patient information from being leaked. The most severe is when a person did not know they were divulging information, but instead of actively working to stop it, the leak happened because of willful neglect of the situation. Penalties will also vary depending on whether a person has tried to correct the situation.

  For a civil penalty, the minimum monetary fine is $100 per violation that can be repeated for up to $25,000 during a calendar year. The maximum fine is $50,000 per violation that can be repeated for up to $1.5 million in a calendar year.

Criminal Penalties

• For a HIPAA violation to be considered criminal, the person who committed the violation must have done so willingly, fully understanding the implications of divulging the information.

  Like the civil penalties, there are different levels of severity for criminal violations. The minimum penalty is $50,000 and up to one year in jail. Cases that are deemed malicious, such as if someone were to sell medical information with the intent to harm an individual or for personal gain, is punishable by a fine of up to $250,000 and up to 10 years of jail time.

Enforcing the Penalties

• The Department of Justice is responsible for clarifying the definition of the law, such as which penalties may be considered civil and which are criminal. Once the law is in effect, the Office for Civil Rights, an office in the Department of Health and Human Services, is responsible for determining the level of penalty in a given case. In order to begin a HIPAA investigation, a patient must file a complaint with the OCR, where each complaint is investigated on a case-by-case basis by OCR or the Department of Justice.