style="display:none;" /> Skip to main content

HIPAA Violations and Enforcement

HIPAA Violations and Enforcement

Failure to conform to HIPAA can bring about civil and criminal penalties (42 USC § 1320d-5).

Civil Penalties for Violating HIPAA

On 17th February 2009, the “American Recovery and Reinvestment Act of 2009″(ARRA) that was signed into law, set up a layered civil punishment structure for HIPAA violations (see beneath). Depending on the extent and nature of violation, the Secretary of the Department of Health and Human Services (HHS) still has caution in deciding the measure of the punishment in view of the nature and degree of the violation and the nature and degree of the damage caused by the violation. Still, the Secretary is precluded from forcing civil punishments (apart from instances of willful neglect) if the infringement is rectified within 30 days (this period might be prolonged).

HIPAA Criminal Penalties for Violations

The U.S. Division of Justice (DOJ), in June 2005 cleared up the air about who can be held criminally accountable under HIPAA. Secured entities and stated people, as clarified below, whom “intentionally” get or reveal exclusively identifiable well-being data infringing upon the Administrative Simplification Regulations face a fine can be as high as $50,000, and in addition to detainment of up to a year. False pretense crimes attract penalties of $100,000, with up to 5 years in prison. Lastly, crimes with the aim to offer, exchange, or utilize individual health data for business advantage, profit or malevolent harm grant fines of $250,000, and detainment for up to 10 years.

Covered Entity and Specified Individuals

The DOJ resolved that the criminal punishments for an infringement of HIPAA are specifically relevant to covered entities—including healthcare providers, health plans, social insurance clearinghouses who transfer claims in electronic structure, and Medicare prescribed medication card sponsors. People, for example, executives, representatives, or officers of the covered element, where the secured entity is not a person, might likewise be criminally accountable under HIPAA as per standards of “corporate criminal liability.” Where a person of a secured entity is not specifically at risk under HIPAA, they still can be accused of helping and assisting or conspiracy.


The “knowingly” component of the HIPAA statute for criminal liability was deciphered by the DOJ as requiring information of the activities that constitute an offense. Definite information of an activity being infringing upon the HIPAA statute is not required.


The Department of Health and Human Services (DHHS) has the power to reject from partaking in Medicare any secured entity that was not consistent with the transaction and code set guidelines by October 16, 2003 (where an allowance was gotten and the secured entity is not small) (68 FR 48805).

Enforcing Agencies

The privacy standards are enforced by the DHHS Office of Civil Rights (OCR), while HIPAA enforcement of the code set standards, security standards and transaction is done by the Centers for Medicare and Medicaid (CMS) (65 FR 18895). Execution of the common money related procurements has not yet been tasked to an office.

It would be ideal if you refer to the AMA’s FAQs on the privacy rules for extra data on implementation of the privacy guidelines.

No Private Cause of Action

Despite the fact that HIPAA secures the health data of people, it doesn’t make a private cause of action for those hurt (65 FR 82566). State law, then again, might give different hypotheses of accountability.

Grow your system, profitably. See why
the largest systems in the US choose eVisit.

Related Resources