The below tiered civil penalty structure was established from the American Recovery and Reinvestment Act of 2009. The Secretary of HHS still has discretion in determining the penalty amount based on the nature and extent of the violation as well as the nature and extent of harm resulting from the violation. The Secretary is prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended).
Covered entities and specified individuals (see definition below) are subject to the following fines and incarcerations for HIPAA violations.
- Knowingly obtaining or disclosing individually identifiable health information in violation of the Administrative Simplification Regulations:
- Fine: Up to $50,000.Imprisonment: Up to 1 year.
- Offenses committed under false pretenses:
- Fine: Up to $100,000 fine.Imprisonment: Up to 5 years.
- Offenses committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm:
- Fine: Up to $250,000.Imprisonment: Up to 10 years.
Covered Entity and Specified Individuals
In June 2005, the U.S. Department of Justice (DOJ) concluded that criminal penalties for a HIPAA violation are directly applicable to covered entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, where the covered entity is not an individual, may also be directly criminally liable under HIPAA in accordance with principles of “corporate criminal liability.” Where an individual of a covered entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.
The DOJ interpreted the term “knowingly” for criminal liability as requiring only knowledge of the actions that constitute an offense. Specific knowledge of an action being in violation of the HIPAA statute is not required.
HHS has the authority to exclude from participation in Medicare any covered entity who was not compliant with the transaction and code set standards (68 FR 48805).
The DHHS Office of Civil Rights (OCR) enforces the privacy standards, while the Centers for Medicare & Medicaid (CMS) enforces both the transaction and code set standards and the security standards (65 FR 18895). Enforcement of the civil monetary provisions has not yet been tasked to an agency.
No Private Cause of Action
While HIPAA protects the health information of individuals, it does not create a private cause of action for those aggrieved (65 FR 82566). State law, however, may provide other theories of liability.
The American Medical Association provides great insight on HIPAA violations and enforcement.