HIPAA Violations: Penalties Up to $2.19M Annually
A HIPAA violation is unauthorized access, use, or disclosure of protected health information. Learn the most common violations, real penalties from $145 to $2.19M annually, criminal consequences, reporting requirements, and prevention strategies.
What Is a HIPAA Violation?
Unauthorized employee access to patient records is a leading cause of healthcare data breaches, and HIPAA settlements can reach millions of dollars. A HIPAA violation is any failure to comply with HIPAA Privacy, Security, or Breach Notification Rules—including unauthorized PHI access, inadequate security safeguards, missing business associate agreements (BAAs), failure to provide patient records within 30 days, or delayed breach notification. Under HITECH Act enforcement, penalties range from $145 to $2.19 million annually per violation category, with criminal violations carrying up to 10 years imprisonment and $250,000 fines.
What Are the Most Common HIPAA Violations?
| Violation Type | Description | Example |
|---|---|---|
| Unauthorized Access | Employees viewing records without work-related need (leading cause of healthcare data breaches) | HR employee can see every patient’s mental health records just because she accesses EHR once/year for reporting. Real prevention: role-based access limiting Sarah to ONLY data her report needs—she can’t search by patient name. Implementation takes 20-40 hours but catches 90% of snooping attempts. |
| Unencrypted Devices | Lost/stolen laptops, phones, USB drives without encryption | Stolen unencrypted laptop with 4 million patient records |
| Missing BAAs | Sharing PHI with vendors without signed agreements | Using cloud storage without Business Associate Agreement |
| Lack of Encryption | No encryption for ePHI transmission or storage | Emailing PHI using unencrypted standard email |
| Poor Access Controls | Excessive permissions or shared passwords | All staff can access all records regardless of role |
| No Risk Analysis | Failure to conduct comprehensive risk assessment | Never identifying vulnerabilities or documenting analysis |
| Improper Disposal | PHI in regular trash instead of shredding | Medical records found in dumpster without shredding |
| Delayed Breach Notification | Not notifying within 60 days of discovery | Waiting months to investigate before notifying patients |
How Much Is a HIPAA Violation Fine?
| Tier | Knowledge Level | Per Violation | Annual Maximum |
|---|---|---|---|
| Tier 1 | Unknowing | $145–$73,011 | $2,190,294 |
| Tier 2 | Reasonable cause | $1,461–$73,011 | $2,190,294 |
| Tier 3 | Willful neglect (corrected) | $14,602–$73,011 | $2,190,294 |
| Tier 4 | Willful neglect (not corrected) | $73,011 minimum | $2,190,294 |
Key points: Each violation of each rule provision is separate. Willful neglect not corrected within 30 days carries mandatory $73,011 minimum per violation.
How Much Do HIPAA Violations Cost? (Real Settlement Examples)
| Organization | Year | Violation | Settlement |
|---|---|---|---|
| Anthem Inc. | 2018 | Data breach (79M records), inadequate risk analysis | $16 million |
| Premera Blue Cross | 2020 | Failed to conduct risk analysis | $6.85 million |
| MD Anderson Cancer Center | 2018 | Lost unencrypted devices | $4.3 million |
| Cottage Health | 2018 | Insufficient network safeguards | $3 million |
Common themes: Lack of encryption, failure to conduct risk analysis, inadequate access controls.
What Happens When You Violate HIPAA?
Discovery:
- Patient complaints to OCR
- Employee reports (whistleblowers)
- Breach self-reporting to HHS
- OCR audits or media reports
OCR Investigation:
- Intake and jurisdiction review
- Request documentation, policies, training records, audit logs
- Analyze evidence for compliance status
- Resolution: no violation, corrective action plan, settlement, or civil penalty
Outcomes:
- Corrective Action Plan: Implement safeguards, revise policies, provide training
- Settlement: Pay monetary settlement plus corrective action and monitoring (2–3 years)
- Civil Penalty: Financial penalty imposed by OCR
- Criminal Referral: DOJ prosecution for serious violations
Consequences for Organizations: Settlement payments ($100K-$500K typical), breach notification costs (low-risk breaches: $50-100/person; medium-risk health data: $150-250/person; high-risk with SSN: $300-500/person), credit monitoring ($200/person annually for 3 years), legal fees ($50-200K), corrective action costs ($50-150K). Example: 5,000-person breach with health data = 5,000 × $200 + (5,000 × $200 × 3) = $3.2M in notification costs alone, plus settlement and legal fees. This is why prevention ($5-10K for encryption/access controls) is trivial by comparison.
Consequences for Employees: Immediate termination for unauthorized access, criminal prosecution (fines up to $250,000, imprisonment up to 10 years), difficulty finding future healthcare employment.
What Are the Criminal Penalties for HIPAA Violations?
| Offense | Maximum Fine | Maximum Prison |
|---|---|---|
| Knowingly obtaining/disclosing PHI | $50,000 | 1 year |
| Under false pretenses | $100,000 | 5 years |
| With intent to sell/transfer/use for gain or malicious harm | $250,000 | 10 years |
Department of Justice prosecutes violations involving PHI access for personal gain, selling patient information, identity theft/fraud, or malicious disclosure. Criminal prosecutions are exceptionally rare—fewer than 15 federal convictions since HIPAA’s inception in 1996.
How to Report a HIPAA Violation
File complaint with OCR:
- Online via OCR Complaint Portal: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
- Within 180 days of when you knew about violation
- Provide: your name/contact, organization name, description of what happened, date, supporting documentation
Internal reporting: Report to supervisor, Privacy/Security Officer, or anonymous hotline. Whistleblower protections prohibit retaliation.
How Do You Prevent HIPAA Violations?
1. Conduct Comprehensive Risk Analysis
- Assess where PHI exists, who has access, vulnerabilities, threats
- Document everything—risk analysis is foundation of compliance
- Review annually and after significant changes
2. Implement Strong Access Controls
- Unique user IDs (no shared accounts)
- Role-based access (minimum necessary)
- Multi-factor authentication
- Automatic logoff after inactivity
- Audit logging of all PHI access
- Immediate access termination when employees leave
3. Encrypt Everything
- Full disk encryption on all devices
- Encrypted email for PHI transmission
- Encrypted cloud storage and backups
- Encrypted mobile devices
- Safe harbor: encrypted PHI lost/stolen isn’t a breach if key not compromised
4. Execute Business Associate Agreements
- Determine if vendor is business associate
- Draft BAA specifying permitted uses, safeguards, breach notification
- Get BAA signed before sharing any PHI
- Never share PHI without BAA—automatic violation
5. Provide Comprehensive Training
- Initial HIPAA training within 30 days of hire
- Annual refresher training
- Cover: PHI definition, minimum necessary, authorized vs unauthorized access, security measures, reporting procedures
- Document with signed attestations
Track training completion across your workforce with automated timesheet reports showing which employees completed HIPAA certification during scheduled shifts—essential documentation for OCR audits proving compliance with workforce training requirements.
6. Monitor and Audit
- Review access logs monthly for suspicious patterns
- Audit high-risk areas (celebrity patients, employee records)
- Test incident response procedures
- Track patient complaints and requests
The Bottom Line
HIPAA violations occur when patient information is accessed, used, or disclosed without authorization or when required safeguards are missing. Most common violations are unauthorized employee access, lost/stolen unencrypted devices, missing BAAs, lack of encryption, inadequate access controls, and failure to conduct risk analysis. Penalties range from $145 to $2.19 million annually per violation category. Prevent violations by conducting annual risk analyses, implementing encryption, maintaining strong access controls with unique user IDs, executing BAAs before sharing PHI, providing comprehensive workforce training, and monitoring access logs.
Prevent HIPAA Violations With Better Documentation
Most HIPAA violations stem from inadequate access controls and missing training documentation. Workforce reporting with audit trails helps you demonstrate compliance by tracking exactly which employees accessed systems, when training occurred, and how role-based access restrictions are enforced—turning what OCR considers violations into documented proof of your compliance program.
Sources
- HHS Office for Civil Rights – HIPAA Enforcement
- HHS OCR – Breach Notification Rule
- U.S. Department of Justice – Criminal HIPAA Prosecutions
Further Reading
- HIPAA Compliance Requirements – Complete compliance guide
- HIPAA Training Guide – Workforce training requirements
Frequently Asked Questions
What is a HIPAA violation?
A HIPAA violation is any failure to comply with HIPAA Privacy, Security, or Breach Notification Rules, including unauthorized PHI access, inadequate safeguards, missing BAAs, or delayed breach notification.
What are the most common HIPAA violations?
Most common violations are unauthorized employee access (snooping), lost/stolen unencrypted devices, missing BAAs, lack of encryption, inadequate access controls, and failure to conduct risk analysis.
What happens if you violate HIPAA?
Violations result in OCR investigations, civil penalties from $145 to $2.19 million annually, corrective action plans, mandatory monitoring, breach notification costs, legal fees, reputation damage, and possible criminal prosecution.
Can you go to jail for a HIPAA violation?
Yes, criminal violations can result in imprisonment up to 1 year (knowingly obtaining PHI), 5 years (false pretenses), or 10 years (intent to sell or use for personal gain/malicious harm).
How do I report a HIPAA violation?
File complaint with HHS Office for Civil Rights within 180 days via online portal, including organization name, description of violation, date, and supporting documentation. Report internally to Privacy Officer.
Is employee snooping a HIPAA violation?
Yes, accessing patient records without legitimate work-related reason is unauthorized access violation. Employees viewing celebrity, family, or coworker records typically face immediate termination and potential criminal prosecution.
What happens if an employee violates HIPAA?
Employees who violate HIPAA typically face immediate termination, difficulty finding future healthcare employment, potential criminal prosecution (fines up to $250,000, imprisonment up to 10 years), and private lawsuits from affected patients.
How much does a HIPAA violation cost?
Civil penalties range from $145 to $73,011 per violation, with annual maximums up to $2.19 million. Major settlements have reached $16M (Anthem), $6.85M (Premera), and $4.3M (MD Anderson). Breaches cost $100–$500+ per affected individual for notification and credit monitoring.
