Next named exclusive Trail Blazer in NEW 2024 Radicati DLP Market Quadrant Report Read the Report
Updated: Mar 5, 2024   |   Georgina Stockley

What are the penalties for HIPAA violations and non-compliance?

Go back

Companies operating in the U.S. healthcare system must comply with the data security regulations set forth by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This federal law defines standards for protecting sensitive patient health information to restrict its disclosure without the patient’s consent.

Failure to maintain compliance with HIPAA can lead to substantial financial penalties and negative public relations.

This post provides an overview of the cost of HIPAA non-compliance for your business.

In this article:

An‎ overview of HIPAA compliance

Provider touching digital compliance icons representing HIPAA compliance

‎Sensitive protected healthcare data is referred to as personal health information or protected health information (PHI). When it's in digital format processed by IT systems, it's called electronic protected health information (ePHI).

Companies subject to HIPAA guidelines, including covered entities and business associates, are required to follow three main rules to achieve and maintain compliance.

The HIPAA Privacy Rule

The HIPAA Privacy Rule requires companies that process and store PHI to implement specific safeguards to protect the data’s privacy. The rule also sets limits on how the information can be used. Patient’s rights regarding their medical records are also defined in this rule.

The HIPAA Security Rule

The HIPAA Security Rule only applies to ePHI. The rule defines administrative, physical, and technical safeguards designed to protect ePHI. The Security Rule requires organizations to take measures to protect ePHI including:

  • Ensuring the confidentiality, integrity, and availability of ePHI
  • Protecting ePHI from unauthorized use or disclosure
  • Identifying and mitigating threats to the security of ePHI
  • Verifying HIPAA compliance by all members of the workforce

The HIPAA breach notification rule

This rule establishes the conditions that trigger a notification if PHI or ePHI is affected by a data breach. Depending on the type and severity of the breach, the individuals whose data was exposed, the Secretary of Health and Human Services, and under certain conditions, the media need to be notified.

Understandably, the publicity surrounding a breach notification can be very detrimental to a company’s reputation.

Wh‎at are HIPAA violations?

Provider logging in to a secure HIPAA compliant system

‎Failure to meet the HIPAA standards results in violations that can be addressed with financial penalties imposed on the violating organization. The penalties are based on several factors, which we'll discuss later in this article. The most common HIPAA violations include:

  • Lacking or insufficient technical, administrative, or physical safeguards for ePHI
  • The impermissible use or disclosure of ePHI
  • Disclosing more than the minimum necessary when handling ePHI
  • Not providing patient access to their protected health information

Violations may be uncovered in the wake of a forensic investigation into a data breach involving HIPAA-regulated information. Violations do not always result in financial penalties.

Organizations guilty of minor violations caused by mistreating the HIPAA rules may be allowed to take corrective action and achieve compliance. If they fail to follow the required corrective action plan, a monetary penalty will follow.

Wh‎at are the penalties for HIPAA non-compliance?

Provider using laptop with a secure document

HIPAA violations can result in civil and criminal penalties. Fines for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) or state attorney generals. Typically, civil fines directly related to HIPAA violations are levied by the OCR.

As of January 2024, OCR has received more than 351,372 HIPAA complaints and, as a result of those complaints, has initiated over 1,183 compliance reviews. Ninety-nine percent of these cases (348,503) have been resolved.

State attorney generals enforce equivalent state standards. A civil monetary penalty issued by the state can be more costly than HIPAA penalties.

In situations when protected health information has been knowingly disclosed or obtained in violation of the rules, OCR refers these cases to the Department of Justice (DOJ) for criminal investigation.

Once the cases are referred to DOJ, they handle the criminal prosecutions under the Privacy Rule. This means that DOJ is responsible for investigating and prosecuting individuals or entities that have violated HIPAA regulations by unauthorized disclosures of protected health information.

Criminal penalties for HIPAA violations can result in monetary fines and even imprisonment. Fortunately, these cases are relatively rare. As of January 2024, OCR has made 2,074 referrals to DOJ for such cases.

Financial penalties

The financial penalties for HIPAA violations are established based on a tiered structure. Four tiers are used that consider the degree of accountability displayed by the violating entity. Deliberate violations, particularly those with intent to do malicious harm, are more likely to result in substantial fines.

  • Tier 1 - These are violations that the covered entity was unaware of and that could not have been avoided despite the organization conducting reasonable diligence.
  • Tier 2 - Violations in this tier involve issues that the covered entity should have been aware of but could not reasonably have been avoided.
  • Tier 3 - Tier 3 violations involve “willful neglect” of  HIPAA rules where an attempt has been made to address the issue.
  • Tier 4 - “Willful neglect” and no attempt to correct the compliance issue lead to the most serious penalties.

The 2024 HIPAA penalty structure

Graph of the 2024 HIPAA penalty structure

‎The long-term cost of negative public relations is impossible to calculate and can often be more damaging to the organization than the financial penalties of HIPAA non-compliance.

Ho‎w can DLP help your business maintain HIPAA compliance?

Provider touching shield and checkmark icon representing HIPAA compliance

‎A data loss prevention solution can help your business avoid the financial and reputational damage of HIPAA violations from data breaches involving ePHI. The tool automates the enforcement of an organization’s data handling policy to protect high-value information. Deliberate and unintentional attempts to misuse data are prohibited by a DLP platform.

Companies required to maintain HIPAA compliance should strongly consider implementing a tool like Reveal to ensure sensitive data remains safe. Reveal employs advanced AI and machine learning to restrict the unauthorized use of sensitive information such as ePHI. The platform also provides user training at the point of risk to promote a security-conscious culture.

Talk to the DLP experts at Next and book a Reveal demo. The tool helps you avoid potentially expensive HIPAA violations and protects your valuable data.

Fr‎equently asked questions

What are some of the technical safeguards of the HIPAA Security Rule?

The technical safeguards of the HIPAA Security Rule include:

  • Access controls that only allow authorized personnel access to ePHI
  • Audit controls to record and examine activity on systems containing ePHI
  • Integrity controls to ensure ePHI is not improperly destroyed or modified
  • Transmission security to protect against unauthorized access when ePHI is transmitted over a network

How are HIPAA violations discovered?

HIPAA violations may be discovered in a variety of ways.

  • Self-assessment - Companies should engage in regular risk assessments and internal audits to ensure their policies, procedures, and security measures comply with all HIPAA regulations.
  • Complaints - Individuals can complain about lack of access or excessive disclosure of their protected health information.
  • Data breaches - Data breaches are often precipitated by unaddressed HIPAA violations.

How does a company determine its HIPAA compliance standing?

Companies can determine their HIPAA compliance standing by performing a self-assessment or contracting a third-party auditor. They can ensure they are following all HIPAA guidelines and have implemented the necessary safeguards outlined in the Security Rule. Gaps should quickly be addressed to protect patient data and avoid the high cost of HIPAA violations.


See how Next protects your employees and prevents data loss