HIPAA Violations
The Department of Health and Human Services’ Office for Civil Rights enforces HIPAA’s Privacy, Security, and Breach Notification Rules. HIPAA’s Enforcement Rule grants OCR the power to investigate complaints against CEs and data breaches and levy fines against organizations that violate HIPAA.

OCR also has the power to conduct compliance reviews of any HIPAA CE or BA to ensure the organization’s policies and procedures comply with HIPAA’s Rules.

In certain circumstances, OCR can work with the Department of Justice to pursue criminal violations of HIPAA. For example, an employee who steals ePHI for identity fraud may face criminal charges for their actions.

The categories of HIPAA violation are divided into tiers, as follows:
  • Tier 1: An offense that the CE was unaware of and could not have realistically known about or avoided had a reasonable amount of care had been taken to abide by HIPAA Rules
  • Tier 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care, but falling short of willful neglect of HIPAA Rules
  • Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules in cases where an attempt has been made to correct the breach within 30 days
  • Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the breach within a reasonable time frame

OCR can waive a financial penalty if the CE in question could not have been expected to avoid a data breach, a so-called “unknown violation.”

Penalties for HIPAA Violations

The US Department of Justice may levy a fine of up to $250,000 for criminal HIPAA violations and up to 10 years imprisonment for knowing abuse or misuse of PHI. A mandatory 2-year jail term is also required for aggravated identity theft.

OCR can issue civil monetary penalties (CMPs) of up to $50,000 per violation with an annual maximum of $1.5 million for a Tier 4 violation.

OCR considers a wide range of factors when determining the appropriate penalty, including the length of time over which the violation occurred, the number of people affected, the types of data compromised, the financial means of the organization, the harmful consequences of the breach, and efforts made to voluntarily correct violations when they are discovered.




OCR also considers the organization’s willingness to assist with OCR investigations. OCR is more likely to be lenient on organizations that cooperate fully with a breach investigation.
  • Tier 1: Minimum fine of $100 per violation up to $50,000 per violation. The maximum annual penalty of $25,000 for violations of an identical provision
  • Tier 2: Minimum fine of $1,000 per violation up to $50,000 per violation. The maximum annual penalty of $100,000 for violations of an identical provision
  • Tier 3: Minimum fine of $10,000 per violation up to $50,000 per violation. The maximum annual penalty of $250,000 for violations of an identical provision
  • Tier 4: Fine of $50,000 per violation. The maximum annual penalty of $1.5 million for violations of an identical provision