HIPAA Enforcement

-A   +A

HIPAA Enforcement


​​Health Insurance Portability and Accountability Act (HIPAA)​​

Modifications to the Enforcement Rule as a result of the HITECH Act now impose:  ​

  • Higher penalties and mandates for formal investigations of violations due to willful neglect 
  • A revised penalty structure with four categories of violations that reflect increasing levels of culpability and four corresponding tiers of penalty amounts.
  • A significant increase in the minimum penalty amount for each violation
  • A maximum penalty amount of $1.5 million annually, depending on whether the Covered Entity or business associate knew of the violation of the HIPAA or practiced willful, uncorrected, neglect.

In cases where protected health information is compromised, civil money penalties may be imposed taking into account the scope and impact of the violation, the nature and extent of the resulting harms, history of prior compliance, and the financial condition of the Covered Entity before imposing a civil money penalty. 

The Final Rule implements a tiered penalty structure for violations (mandated by the HITECH Act) applies this structure for violations after Feb. 18, 2009.

Category of ViolationPenalty per Violation Maximum Penalty for Identical Violations
Unknowing$100 to 
$1,500,000/calendar year
Reasonable Cause $1,000 to $50,000$1,500,000/calendar year
Willful Neglect – Corrected  $10,000 to $50,000$1,500,000/calendar year
Willful Neglect – Not Corrected Minimum $50,000$1,500,000/calendar year


Advertising Disclaimer
​HIPAA enforcement actions are typically initiated by a complaint, but can also be triggered by a report to HHS (eg, data breach notification), or a HIPAA audit. HIPAA does not authorize individuals to sue for HIPAA violations. Their recourse under HIPAA is to file a complaint with the Office for Civil Rights (OCR). People can sue under state law for many of the things that would constitute HIPAA violations, as HIPAA doesn't preempt state law in states with more stringent privacy-protection. 

Complaints and Investigations

Since the compliance date of the Privacy Rule in April 2003, OCR has received over 134,246 HIPAA complaints. Most investigations determined that no violation had occurred. Many were resolved by requiring changes in privacy practices and corrective actions by Covered Entities, and not imposing a civil money penalty. Those incurring civil penalties resulted in a total dollar amount of $36,000,000. ​

OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

  • Private Practices;
  • General Hospitals;
  • Outpatient Facilities;
  • Pharmacies; and
  • Health Plans (group health plans and health insurance issuers).

From 2003 to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Use or disclosure of more than the minimum necessary protected health information; and
  • Lack of administrative safeguards of electronic protected health information.

Case Exa​mples

Failure to Adhere to Data Breach Requirements - $150,000 Fine
An Adult & Pediatric Dermatology practice experienced a theft of an unencrypted thumb drive from the vehicle of an employee. The drive housed the electronic protected health information of roughly 2,200 patients. An OCR investigation revealed that the practice failed to complete an accurate and full risk vulnerability analysis as to the security and confidentiality of electronic protected health information. The investigation also revealed that the practice had failed to adhere to the requirements set by the Breach Notification. As a result, the practice agreed to pay $150,000 as part of a settlement and implement a corrective action plan in order to become compliant with HIPAA requirements.​

Revises Process to Provide Access to Records
A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. OCR's investigation determined that the private practice had relied on state regulations that permit a covered entity to provide a summary of the record. OCR provided technical assistance to the covered entity, explaining that the Privacy Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary or explanation. Among other corrective actions to resolve the specific issues in the case, OCR required the covered entity to revise its policy. In addition, the covered entity forwarded the complainant a complete copy of the medical record.

Provides Access to All Records, Regardless of Source
A private practice denied an individual access to his records on the basis that a portion of the individual's record was created by a physician not associated with the practice. While the amendment provisions of the Privacy Rule permit a covered entity to deny an individual's request for an amendment when the covered entity did not create that the portion of the record subject to the request fo​r amendment, no similar provision limits individuals' rights to access their protected health information. Among other steps to resolve the specific issue in this case, OCR required the private practice to revise its access policy and procedures to affirm that, consistent with the Privacy Rule standards, patients have access to their record regardless of whether another entity created information contained within it.​

Ceases Conditioning of Compliance with the Privacy Rule
A physician practice requested that patients sign an agreement entitled "Consent and Mutual Agreement to Maintain Privacy." The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician's compliance with the Privacy Rule. A patient's rights under the Privacy Rule are not contingent on the patient's agreement with a covered entity. A covered entity's obligation to comply with all requirements of the Privacy Rule cannot be conditioned on the patient's silence. OCR required the cover​ed entity to cease using the patient agreement that conditioned the entity's compliance with the Privacy Rule. Additionally, OCR required the covered entity to revise its Notice of Privacy Practices.​

Revises Access Procedure to Provide Access Despite an Outstanding Balance
A complainant alleged that a private practice physician denied her access to her medical records, because the complainant had an outstanding balance for services the physician had provided. During OCR's investigation, the physician confirmed that the complainant was not given access to her medical record because of the outstanding balance. OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provi​de an individual access to their medical record within 30 days of a request, regardless of whether or not the individual has a balance due. Once the physician learned that he could not withhold access until payment was made, the physician provided the complainant a copy of her medical record.

Revises Faxing Procedures to Safeguard PHI
A doctor's office disclosed a patient's HIV status when the office mistakenly faxed medical records to the patient's place of employment instead of to the patient's new health care provider. The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient. To resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient. The office informed all its employees of the incident and counseled staff on proper faxing procedures.

Disclaimer: This information is general in scope and educational in nature. It is not intended as legal advice. If you require legal advice, contact an attorney. 

The recommendations in this publication do not indicate an exclusive course of treatment or serve as a standard of medical care. Variations, taking into account individual circumstances, may be appropriate. This content is for informational purposes only. It is not intended to constitute financial or legal advice. A financial advisor or attorney should be consulted if financial or legal advice is desired.

            print           email           share