HIPAA Violation Penalty Structure
Each category of violation carries a separate HIPAA penalty. It is up to OCR to determine a financial penalty within the appropriate range. OCR considers a number of factors when determining penalties, such as
1. The length of time a violation was allowed to persist
2. The number of people affected and the nature of the data exposed.
3. An organization´s willingness to assist with an OCR investigation is also taken into account.
The general factors that can affect the level of financial penalty also include
prior history, the organization’s financial condition and the level of harm caused by the violation.
Tier 1: Minimum fine of $100 per violation up to $50,000
Tier 2: Minimum fine of $1,000 per violation up to $50,000
Tier 3: Minimum fine of $10,000 per violation up to $50,000
Tier 4: Minimum fine of $50,000 per violation
The above fines for HIPAA violations are those stipulated by the HITECH Act. It should be noted that these are adjusted annually to take inflation into account. The civil monetary penalties for 2018 and 2019, adjusted for inflation, can be viewed on this link.
The HITECH Act increased the possible penalties for HIPAA violations to strengthen enforcement of HIPAA compliance and to give HIPAA covered entities a greater incentive to press forward with their compliance programs.
A data breach or security incident that results from any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. A fine of $50,000 could, in theory, be issued for any violation of HIPAA rules; however minor.
A fine may also be applied on a daily basis.
For example, if a covered entity has been denying patients the right to obtain copies of their medical records, and had been doing so for a period of one year, the OCR may decide to apply a penalty per day that the covered entity has been in violation of the law. The penalty would be multiplied by 365, not by the number of patients that have been refused access to their medical records.
Although it was mentioned above that OCR has the discretion to waive a civil penalty for unknowingly violating HIPAA, ignorance of the HIPAA regulations is not regarded as a justifiable excuse for failing to implement the appropriate safeguards.
In April 2017, the remote cardiac monitoring service CardioNet was fined $2.5 million for failing to fully understand the HIPAA requirements and subsequently failing to conduct a complete risk assessment.
As a result of the incomplete risk assessment, the PHI of 1,391 individuals was potentially disclosed without authorization when a laptop containing the data was stolen from a car parked outside an employee´s home. Speaking after details of the fine had been announced, OCR Director Roger Severino described the civil penalty for unknowingly violating HIPAA as a penalty for disregarding security.
It may also be possible for a covered entity or business associate to receive a civil penalty for unknowingly violating HIPAA if the state in which the violation occurs allows individuals to bring legal action against the person(s) responsible for the violation. Although HIPAA lacks a private right of action, individuals can still use the regulations to establish a standard of care under common law. Several cases of this nature are currently in progress.