Medical and Patient Reporting

In 1996, President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA), which had been enacted by the 104th United States Congress. The act outlines several penalties for those who violate health insurance protected data.

HIPAA violation penalties range from $100 to $50,000, but they can be as high as $1.5 million. And if the violation includes criminal charges, offenders can also face jail time of between one year and 10 years.

Read on to discover main HIPAA violations and the respective civil and criminal penalties.

  1. Civil Monetary Penalties
  2. Criminal Penalties
  3. Example of Civil Penalty for Unknowingly Violating HIPAA
  4. HIPAA Noncompliance Penalties

Civil Monetary Penalties

Tier One Violation

In tier one, an entity or individual performs an act in HIPAA violations, without knowing. What happens when they act with reasonable diligence, but still, fail to meet HIPAA requirements.

The penalty for each tier one violation is between $100 and $50,000, with an upper limit of $1.5 million, for identical violations within a calendar year.

Tier Two Violation

At the second tier, is when an act that is in HIPAA violations, is done with reasonable cause, but without willful negligence. The penalty for such negligence ranges between $1,000 and $50,000, and for repeated identical violations, a maximum of $1.5 million, in one calendar year.

Tier Three Violation

Violations that happen with willful neglect, but get corrected within the required time fall into category three neglect. In category three, violations attract fines ranging from $10,000 to $50,000 for each of them.

Furthermore, the fines can go to a maximum of $1.5 million, for identical violations, within one calendar year.

Tier Four Violation

When a violation happens due to willful negligence and is not corrected, it is classified as a tier four violation. The penalty for this violation is $50,000 or more per each one. Like the other ones, it has an upper limit of $1.5 million, for identical violations within a calendar year.

Criminal Penalties

Tier One

When a criminal violation is done without the individual or entity knowing it, or do it with reasonable cause, the penalty is jail time of up to one year.

Tier Two

Any violation that is done under false pretense falls under tier two, and the individual can get up to five years in jail time.

Tier Three

The most serious HIPAA criminal violation is a tier-three violation. It happens when individuals or entities act in violation, for personal gain, or for malicious reasons. It carries a penalty of up to 10 years in jail time.

Example of Civil Penalty for Unknowingly Violating HIPAA

There is no justifiable excuse for failing to implement measures that can prevent HIPAA violations. In that regard, when you violate HIPAA knowingly or unknowingly, you get fined.

The State Attorneys general, or the Office for Civil Rights (OCR), an issue or waive HIPAA violation penalties mentioned above.


In April 2017, CardioNet got fined $2.5 million, after failing to make a complete risk assessment. They had failed to do so because they did not fully understand HIPAA requirements.

CardioNet’s incomplete risk assessment as provided by the HIPAA led to potential unauthorized disclosure of PHI of 1,391 individuals. This happened after their employee left a laptop inside a car parked outside their home, and the laptop got stolen.

Roger Severino, who was the OCR Director at the time, described the penalty as one given for disregarding security.

HIPAA Noncompliance Penalties

It is possible for Covered Entities (CE) or Business Associates (BA) of covered entities, to get penalized for non-compliance with HIPAA. OCR has the authority to do that, even when there has not been a breach of PHI, or one patient has complained.

Care New England Health System

For instance, in September 2016, OCR fined the Care New England Health System $400,000 for being noncompliant. The violation included failure to revise their BAA, which they had signed in March 2005.

However, when the first audit was done in 2011/2012, no fines were issued, because individuals and entities had not had enough time to comply. Instead, OCR offered technical assistance to help them comply.

Conclusion – HIPAA Violation Penalties

In this guide, we outlined the HIPAA penalties and examples of entities getting fined. We hope that you found it to be helpful, and you will take action to comply with HIPAA regulations.

Automate Data Extraction – Solutions for Healthcare