It is the nature of rules. They carry penalties. HIPAA’s Privacy Rule and the Security Rule are no exception with financial penalties topping out at $1,919,173 per violation. Per day. And plus there’s jail. So.

Hey? Let’s talk about it? ?

You’ll no doubt recall that the Privacy Rule and Security Rule were promulgated by the Department of Health and Human Services in furtherance of HIPAA—the Health Insurance Portability and Accountability Act of 1996. The Office of Civil Rights (the OCR, which is part of the HHS) is responsible for enforcing HIPAA compliance and investigating alleged violations. And the OCR works with the Department of Justice where there may be criminal violations. More on that later.

In 2009 enforcement authority expanded when Congress enacted the Health Information Technology for Economic and Clinical Health Act which sought to persuade the medical industry—who were continuing until then to single-handedly keep the filing-cabinet industry afloat—to embrace electronic health records and related technology. The HITECH Act, as it is known, also gave state attorneys general the authority to hold covered entities accountable for the exposure of their residents’ protected health information.

Failing to comply with HIPAA or breaching a business associate agreement can lead to simultaneous investigations by all three government bodies—because one wasn’t enough. Depending on the agency, penalties range from civil to criminal. The most common outcome is a settlement requiring the infringing party to take certain ongoing compliance actions. But even in those cases, the investigations themselves can consume tremendous time and resources. And the mere existence of an investigation—even a past, closed investigation—can derail business opportunities and trigger contract terminations.

The most frequent targets for investigation are covered entities—hospitals and health-insurance companies. Most fines are imposed on covered entities.

So does that mean business associates are in the clear?


Business associates can be held liable for HIPAA violations in several ways. We can’t get into every single way a business associate can put itself out of business. But a few violations seem to occur more than others. Business associates have mainly been held liable for failing to comply with the Security Rule, failing to enter into business associate agreements with their own subcontractors, and for various impermissible uses and disclosures of protected health information.

If your company is a business associate, your best bet for avoiding investigation is to comply carefully with all business associate agreements. And, of course, don’t misuse PHI!

Since HIPAA was enacted, there have been hundreds, if not thousands, of penalties imposed against people and organizations. OCR separates the penalties into four different tiers based on escalating severity.

Tier one violations are foot faults—arising from a lack of knowledge, mostly—and they carry minimum penalties of $127 per violation. Penalties escalate quickly from there. Tier four violations involve willful neglect or intentionality coupled with a failure to correct the violations. (Tier three is the same, but you tried to fix it.)

Tier four fines range from $60,973 to $1,919,173 per violation. (These numbers are adjusted annually for inflation.) Ongoing violations may be calculated on a daily basis. In other words, sixty thousand to one point nine million dollars per day. And penalties that arise from willful neglect (tiers 3 and 4) cannot be waived.

If monetary fines are not enough to scare people into compliance—and just so we’re all clear on this point, they should be—there is also the jail thing. Criminal penalties can be imposed when an individual intentionally uses or sells protected health information without consent.

And it’s actually not jail, by the way, which sounds cute. Like Monopoly. No. Criminal penalties range from one to ten years, which means prison. Which is not cute.

(Neither is jail, guys. Come on.)

anyway… Staying HIPAA compliant is a heavy burden. No doubt. There’s a very, very long list of requirements. But the alternative is definitively, without question, much worse. (This is the kind of thing we’re talking about when we say our motto is “Yes > No > Jail”.)

For the basics of HIPAA compliance / prison avoidance, check out our previous posts in this series where we describe the ground rules of compliance.

And as always, give us a call if you’d like help putting this stuff into action. It’s kind of our thing.