Modifications to the Enforcement Rule as a result of the HITECH Act impose several fines and penalties for lack of HIPAA compliance. In other words:  HIPAA has “teeth.” 

These enforcement actions include:  ​ 

  • Higher penalties and mandates for formal investigations of violations due to willful neglect  
  • A revised penalty structure with four categories of violations that reflect increasing levels of culpability and four corresponding tiers of penalty amounts 
  • A significant increase in the minimum penalty amount for each violation 
  • A maximum penalty amount of $1.5 million annually, depending on whether the Covered Entity or business associate knew of the violation of the HIPAA or practiced willful, uncorrected, neglect

In cases where protected health information is compromised, civil money penalties may be imposed taking into account the scope and impact of the violation, the nature and extent of the resulting harms, history of prior compliance, and the financial condition of the Covered Entity before imposing a civil money penalty.  

The Final Rule implements a tiered penalty structure for violations (mandated by the HITECH Act) and applies this structure for violations after Feb. 18, 2009. 


HIPAA enforcement actions are typically initiated by a complaint but can also be triggered by a report to HHS (e.g., data breach notification) or a HIPAA audit. HIPAA does not authorize individuals to sue for HIPAA violations. Their recourse under HIPAA is to file a complaint with the Office for Civil Rights (OCR). In states with specific privacy protections, individuals may be able to sue under state law for things that would constitute HIPAA violations.  

Complaints and Investigations 

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency: 

  • Private practices 
  • General hospitals 
  • Outpatient facilities 
  • Pharmacies 
  • Health plans (group health plans and health insurance issuers)

Disclaimer: This information is general in scope and educational in nature. It is not intended as legal advice. If you require legal advice, contact an attorney.  
The recommendations in this publication do not indicate an exclusive course of treatment or serve as a standard of medical care. Variations, taking into account individual circumstances, may be appropriate. This content is for informational purposes only. It is not intended to constitute financial or legal advice. A financial advisor or attorney should be consulted if financial or legal advice is desired. 

Last Updated



American Academy of Pediatrics