Who Enforces HIPAA Fines for HIPAA Violations?
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is mainly responsible for issuing fines for HIPAA violations. Since the HITECH Act of 2009, state Attorneys General can also impose additional fines.

Who Do Civil Monetary Penalties Apply To?

• Covered Entities (Healthcare Providers, Health Plans, Healthcare Clearinghouses).
• Business Associates (performs certain functions or activities that involve the use of protected health information (PHI) on behalf of, or provides services to, a Covered Entity).
• Work Staff Members

Civil Penalty Structure:
For a violation of HIPAA laws (HIPAA Privacy, Security, or Breach Notification Rules), the civil penalty is based off a “Tiered” structure around the knowledge a covered entity, business associate, or work staff member had of the violation. The Office of Civil Rights (OCR) sets the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.

Civil Penalty Tiers:

• Tier 1 / Lack of Knowledge: A violation that the entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA Rules.
• Tier 2 / Reasonable Cause: A violation that the entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA Rules).
• Tier 3 / Willful Neglect: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation within 30 days.
• Tier 4 / Willful Neglect: A violation of HIPAA Rules constituting “willful neglect” where no attempt has been made to correct the violation within 30 days.

Why Did Civil Monetary Penalty Fines Increase?
In 2024, the civil penalty fines for HIPAA violations increased by 1.03% due to cost-of-living adjustments. These fines are reviewed and adjusted annually.

2024 HIPAA Penalty Structure - “Updated” Fines

2023 HIPAA Penalty Structure - “Older” Fines

Covered Entities, Business Associates, and Work Staff Members Not Following HIPAA Rules & Regulations Can Lead To:

• Civil Monetary Penalties from $141 to $2,134,831 based on the determination level of culpability violation.
• Criminal charges, fines, and prison sentences are decided by a judge based on the facts of the individual case. The minimum fine for a criminal violation of HIPAA is $50,000 and the maximum fine is $250,000.
  • Criminal violations that occur as a result of negligence can result in a prison term of up to 1 year in jail.
  • Obtaining PHI under false pretenses carries a prison term of 5 years in jail.
  • Knowingly disclosing PHI with malicious intent or for personal /commercial gain can result in a prison term of up to 10 years in jail.
  • There is also a mandatory 2 year jail term for aggravated identify theft.
• Reputation Damage to the Organization.
• Loss of Client Trust.
• Need for Corrective Actions.
• Termination of Employment.
• Being Suspended For A Period of Time.

Common HIPAA Violations

1. Lost and Stolen Devices.
2. Snooping on Healthcare Records.
3.  Lack of Training.
4.  Failure to Perform an Organization wide Risk Analysis.
5.  Lack of a Risk Management Process.
6.  Denying Individuals Access to Health Records/Exceeding Timescale for Providing Access.
7.  Failure to Enter into a HIPAA-Compliant Business Associate Agreement (BAA).
8.  Insufficient electronic Protected Health Information (ePHI) Access Controls.
9.  Failure to Use Encryption or equivalent measures to safeguard ePHI on Portable Devices.
10.  Exceeding the 60-day deadline for issuing Breach Notifications.
11.  Impermissible disclosures of Protected Health Information (PHI).
12. Improper Disposal of PHI.

Examples of Civil and Criminal Violations:

Civil

• UnitedHealthcare was fined $80,000 by Office of Civil Rights (OCR) after a patient complained about not receiving requested medical records due to an employee error. This was a HIPAA right of access failure.
• Heritage Valley Health System was fined $950,000 for failure to conduct a risk analysis, lack of policies/procedures for responding to an emergency, and a lack of technical policies and procedures for restricting access to systems containing ePHI.
• St. Joseph’s Medical Center was fined $80,000 in allowing a reporter access to three patients and their clinical information without first obtaining authorizations from the patients.

Criminal

• A former employee of the Veteran Affairs medical center in Long Beach, CA who stole the protected health information (PHI) of more than 1,000 patients was sentenced to three years in the state penitentiary. The former employee was pulled over by police officers after a check of his license plates revealed an anomaly – plates had been used on a private vehicle, which were typically reserved for commercial vehicles. The police officers found prescription medications which the individual did not have a prescription for and the social security numbers and other PHI of 14 patients in his vehicle. A subsequent search of the individuals’ apartment revealed hard drives and zip drives containing the PHI of 1,030 patients and more than $1,000 in cleaning supplies that had been stolen from the hospital.
• A former receptionist at a New York dental practice was sentenced to serve two to six years in state penitentiary for stealing the protected health information (PHI) of 653 patients. She was provided access to the computer system and dental records of patients in order to complete her work duties. She abused the access rights and stole the HIPAA PHI and then sent an email to her co-defendants who used the data to steal identities and make fraudulent purchases of high value items. The types of information stolen included names, birth dates, and social security numbers. They used the information to obtain credit lines in the victims’ names. Credit ranged from $2,000 to $7,000 per individual. They also used the credit to purchase Apple gift cards that were used by buy tablets and laptop computers totaling more than $700,000.
• A nursing assistant was fired from her job and sentenced to 30 days in jail for posting a video of a patient online.

In closing, we all play a vital role in keeping sensitive health information protected here at Travis County, so thank you for doing your part!!

If you would like general information about HIPAA, click to view the HIPAA page. Here you can also check out the HIPAA Policies and Procedures, Report a suspected privacy concern, and look over the HIPAA and Privacy Quick Reference Guide.