The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

What Happens if You Break HIPAA Rules?

Posted By on Feb 22, 2023

What happens if you break HIPAA Rules depends on whether you are a covered entity or business associate, or a member of either’s workforce. If the former, you may be liable for sanctions issued by HHS’ Office for Civil Rights, State Attorneys General, and/or the Federal Trade Commission. If the latter, the consequences depend on the content of your employer’s HIPAA sanctions policy.

What Happens if You Break HIPAA Rules?

If you break HIPAA Rules as a member of a covered entity´s or business associate´s workforce there are four potential outcomes:

  1. The violation could be dealt with internally by an employer
  2. Your contract of employment could be terminated
  3. You could face sanctions from professional boards
  4. You could face criminal charges which include fines and imprisonment

What happens if you break HIPAA compliance rules will depend on the severity of the violation. The actions of employers, professional boards, federal regulators, and the Department of Justice will depend on several factors:

  1. The nature of the violation
  2. Whether there was knowledge that HIPAA Rules were being violated, or by exercising due diligence, it should have been clear that HIPAA Rules were being violated
  3. Whether action was taken to correct the violation
  4. Whether there was malicious intent or HIPAA Rules were violated for personal gain
  5. The harm caused by the violation(s)
  6. The number of people impacted by the violation
  7. Whether there was a violation of the criminal provision of HIPAA

Civil Penalties for HIPAA Violations

Civil penalties can be imposed on covered entities or business associates by HHS’  Office for Civil Rights for any violations of HIPAA – not just those that result in a data breach or other impermissible disclosure of protected health information. Civil penalties for HIPAA violations start at $137 per violation (as of December 2023) and can rise to $2,067,813 when a violation is attributable to willful neglect and not corrected within 30 days. Covered entities and business associates may also be required to comply with a corrective action plan.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

State Attorneys General are permitted to pursue civil penalties for HIPAA violations by the HITECH Act. However, State Attorneys General can only pursue civil penalties once HHS’ Office for Civil Rights has conducted an investigation and it can be proven that a resident of the state has suffered harm due to a HIPAA violation. The Federal Trade Commission can also take action against organizations not covered by HIPAA if the organization suffers a data breach and/or fails to comply with the Breach Notification Rule.

Criminal Penalties for HIPAA Violations

Both individuals and organizations can be charged with knowingly and wrongfully disclosing individually identifiable health information without authorization if OCR believes there has been a criminal HIPAA violation. The minimum fine for criminal violations of HIPAA is $50,000. The maximum criminal penalty for a HIPAA violation by an individual is $250,000. Restitution may also need to be paid to the victims. In addition to the financial penalty, a jail term is possible for a criminal violation of HIPAA Rules.

As with the penalties for HIPAA violations for HIPAA covered entities and business associates, there are penalty tiers for jail terms.

  1. Criminal violations that occur as a result of negligence can result in a prison term of up to 1 year.
  2. Obtaining protected health information under false pretenses carries a maximum prison term of 5 years.
  3. Knowingly disclosing PHI with malicious intent or for personal/commercial gain can result in a prison term of up to 10 years in jail.
  4. There is also a mandatory two-year jail term for aggravated identity theft.

What Happens if You Break HIPAA Rules FAQs

What happens if you violate HIPAA?

If you violate HIPAA, and you are a member of a covered entity’s or business associate’s workforce, the consequences of the violation will depend on the organization’s sanctions policy. If you are a covered entity or business associate, you are required to report the violation to HHS’ Office for Civil Rights if it has resulted in an impermissible disclosure of unsecured PHI.

What are the consequences of violating HIPAA?

The consequences of violating HIPAA depend on your HIPAA “status” (covered entity, business associate, workforce member, etc.) and the nature of the violation. In most cases, the consequences of violating HIPAA for workforce members are subject to their employer’s sanctions policy. However, if a violation of HIPAA results in an impermissible disclosure of PHI or a data breach, it must be notified to the affected individual(s) and HHS’ Office for Civil Rights – who will decide on what consequences are appropriate.

What happens if a medical facility violates the HIPAA Privacy Rule?

If a medical facility violates the HIPAA Privacy Rule, the consequences depend on who identifies the violation and what they do with that information. For example, if a member of the workforce identifies the information, it is likely to be reported to a compliance officer and the violation resolved internally. Similarly, a patient could report the violation to the person indicated on the Notice of Privacy Practices, which would again result in an internal resolution.

However, both the members of the workforce and the patient could report the HIPAA violation to HHS’ Office for Civil Rights via the OCR Complaints Portal. In this case, OCR would review the case, seek evidence of the violation from the complainant; and, if there is sufficient evidence to suggest a violation has occurred, OCR may choose to conduct an investigation. If found guilty of a violation, the penalty will reflect the nature and seriousness of the violation.

What happens if a doctor violates HIPAA?

What happens if a doctor violates HIPAA depends on the doctor´s HIPAA status. If he or she is employed by a covered entity or business associate, the doctor will be subject to the penalties stipulated by their employer´s sanctions policy. If the doctor is a sole practitioner, and the violation is reported to HHS’ Office for Civil Rights, the doctor may be investigated and required to comply with a Corrective Action Plan and/or issued with a civil monetary penalty.

What happens if you break HIPAA rules due to a lack of training?

If you break HIPAA rules due to a lack of training, your employer is at fault because he or she has a legal requirement to provide training “as necessary and appropriate for members of the workforce to carry out their function in a HIPAA-compliant manner” (HIPAA Privacy Rule). To prevent any dispute about whether appropriate training has been provided, employers are required to document what training has been provided, when it was provided, and who attended.

Can I get in trouble for disclosing more than the minimum necessary information?

You can get in trouble for disclosing more than the minimum necessary information, but what the consequences will be depends on the circumstances, how much information was disclosed, and whether it had a negative impact on the patient. The Privacy Rule does allow for incidental disclosures – which are “by-products of another permissible use or disclosure” – provided the minimum necessary rule has been applied with respect to the primary use or disclosure.

Who is to blame for inadvertent disclosures caused by a computer error?

The blame for inadvertent disclosures caused by a computer error can only be determined by an investigation into the event. Covered entities and business associates are required to implement administrative, technical, and physical safeguards to prevent computer errors. If the inadvertent disclosure is attributable to a covered entity or business associate failing to implement safeguards – or failing to provide instruction on how to use the computer securely – the employer is at fault. If, however, the inadvertent disclosure is attributable to operator error, the employee is at fault.

How are breaches of HIPAA identified?

Breaches of HIPAA can be identified in various ways. A covered entity or business associate can find them during a risk analysis, HHS’ Office for Civil Rights can find them during a HIPAA audit, or the patient(s) whose data has been disclosed without authorization can report it. Third parties scouring the Internet for vulnerable applications and storage volumes can also identify breaches of HIPAA.

What if I am aware of a colleague breaking HIPAA rules?

If you are aware of a colleague breaking HIPAA Rules, your employer should have a process for reporting breaches of HIPAA. Usually, you report the breach to a supervisor, manager, or departmental head; but, if you are uncomfortable speaking with somebody in your department – or your supervisor, manager, or departmental head is the colleague breaking HIPAA rules – you should be able to speak with your organization’s HIPAA Privacy Officer.

Can healthcare workers get HIPAA violation fines?

Healthcare workers can get HIPAA violation fines, but only when they are found guilty of a criminal violation of HIPAA. Most HIPAA violation fines are for civil violations of HIPAA, and these are issued to covered entities and business associates. Unless a healthcare worker qualifies as a covered entity or business associate by being a solo practitioner or service provider, they will not be fined for a civil violation of HIPAA.

Who sets HIPAA violation punishment tiers in sanctions policies?

HIPAA violation tiers in sanctions policies are set by each individual organization based on HR best practices. Tier 1 most often consists of a verbal warning and/or refresher training, Tier 2 is often a written or final warning, and Tier 3 is often termination of contract.

However, it is not necessarily the case that an employee gets three strikes and is out. Depending on the nature and frequency of violations, an employee may stay on the same HIPAA violation punishment tier for offences of a minor nature.

Is a HIPAA violation a felony?

A HIPAA violation can be a felony if it is a Tier 2 or Tier 3 criminal violation related to the knowing and wrongful disclosure of individually identifiable health information. This is according to a Memorandum Opinion published in 2005 by The General Counsel for the Department of Health and Human Services and the Senior Counsel to the Deputy Attorney General – which may be interpreted differently by other legal professionals.

What happens if you violate HIPAA accidentally?

If you violate HIPAA accidently, what happens depends on the nature of the violation, the content of your employer’s sanctions policy, and your previous history of accidental HIPAA violations. Some accidental violations are permitted by HIPAA (i.e., incidental disclosures). However, you should always report the violation to a Privacy Officer so they can determine the next course of action.

What are the penalties for HIPAA violations by volunteers?

The penalties for HIPAA violations by volunteers are the same as for any other member of the workforce. This is because the Privacy Rule requires covered entities to train all members of the workforce on HIPAA – including volunteers. If a covered entity fails to train volunteers on HIPAA compliance, it is a violation of HIPAA for which the covered entity is responsible. In such cases, there would be no civil penalties for HIPAA violations by volunteers.

What happens if someone violates HIPAA due to a lack of knowledge?

If someone violates HIPAA due to a lack of knowledge, the covered entity for whom the individual works is guilty of a HIPAA violation for failing to provide adequate training. The risk of a HIPAA violation occurring due to a lack of knowledge is something that covered entities should identify in a risk analysis. If a covered entity fails to ensure a member of the workforce has adequate knowledge before being exposed to PHI, it is the covered entity who is liable for the violation rather than the individual.

What are the legal ramifications of HIPAA violations?

The legal ramifications of HIPAA violations depend on whether the violation is civil or criminal. If a violation is a civil violation, there are no legal ramifications. However, if a violation is a criminal violation, the individual or organization charged with the criminal violation will likely be fined and/or receive a custodial sentence which will remain on their record.

What are the consequences of breaking HIPAA Rules set by your employer?

The consequences of breaking HIPAA Rules set by your employer depend on the content of your employer´s HIPAA sanctions policy. In most cases, when an employee first breaks HIPAA Rules, the consequences are a verbal warning and refresher training – unless the violation has a significant impact on patients or your employer, in which case the consequence would likely be a written warning or a suspension.

What is the maximum penalty for a HIPAA violation?

The maximum penalty for a HIPAA violation depends on the nature of the violation and who is responsible for it. For example, the maximum penalty for a civil violation of HIPAA by a member of the workforce is termination of contract and – if a healthcare professional – referral to the healthcare professional’s licensing authority.

The maximum penalty for civil violations by covered entities and business associates is $2,067,813 per violation type per year (as of December 2023). Covered Entities can also be suspended from Medicare for a civil violation of HIPAA, and by issued with further financial penalties by State Attorneys General and the courts – if the state in which the violation happens allows for a private right of action.

The maximum penalty for a criminal HIPAA violation is the same for individuals and organizations. If either is found guilty of wrongfully and knowingly disclosing individually identifiable health information under false pretenses and for personal/commercial gain or malicious intent, the penalty is up to ten years in jail and a fine of up to $250,000.

What can happen to a healthcare worker or their workplace if they do not follow HIPAA laws?

What can happen to a healthcare worker or their workplace if they do not follow HIPAA laws depends on the nature of violations that occur due to their willful neglect and the consequences of the violations. It also makes a difference whether any subsequent violations are civil or criminal.

A healthcare worker that does not follow the policies developed by their employer to comply with HIPAA laws will be sanctioned according to the employer’s sanction policy. A punishment for a HIPAA violation can range from a verbal warning to termination of contract.

An employer that does not follow HIPAA laws will likely be fined by HHS’ Office for Civil Rights if their negligence results in an impermissible disclosure or a breach of unsecured PHI. The employer can also be fined for violations when patients are refused access to PHI or an accounting of disclosures.

What should you do if you violate HIPAA?

What you should do if you violate HIPAA depends on the procedures explained to you during your HIPAA training. You may have to report the violation to a supervisor, department head, or directly to a Privacy Officer. If the violation causes a security incident you may have to report it to your Security Officer. Whoever you have to report the violation to, it is important that you report in order to mitigate any consequences as quickly as possible.

What can happen if HIPAA is violated?

What can happen if HIPAA is violated depends on the nature of the violation, the consequences of the violation, how quickly the consequences are mitigated, and the prior compliance history of the individual or organization that violated HIPAA. Generally, individuals are subject to the penalties in their employer´s sanctions policy, while organizations may be required to comply with a corrective action plan or might be fined if the violation results in a breach of unsecured PHI.

Can you go to jail for a HIPAA violation?

You can go to jail for a HIPAA violation if the violation relates to the wrongful and knowing disclosure of individually identifiable health information contrary to §1177 of the Social Security Act. The length of the jail term depends on whether the violation was negligent, whether the disclosure was made under false pretenses, and whether the violation was for personal gain or malicious harm.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist