To begin to understand a HIPAA violation we must clarify the meaning of a violation. If we review definitions, we will find that a violation is a breach, infringement, or transgression, as of a law, rule, promise, etc. This is clear enough for most of us to understand.
Next, we have to determine how this applies to HIPAA. HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is a landmark piece of legislation introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs.
A HIPAA violation is any failure to comply with any aspect of the HIPAA standards and provisions detailed in 45 CFR Parts 160, 162, and 164. In other words, plainly speaking, if you ignore, break or do not comply with the HIPAA Privacy Rule you have essentially committed a HIPAA Violation and may be at risk for penalties.
The HIPAA Rule
Since its creation, HIPAA has undergone substantial updates. These updates improved the protection of patients over the years to ensure that their health care information remained secure. The updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule. To learn more about the HIPAA Rule please follow this link.
Type of Violations

Today HIPAA violations occur at an alarming rate and are the focus of many lead articles in the Health Care press. The types of violations are varied and difficult to enumerate. Some of the most important violations as reported to the Office for Civil Rights (OCR) are as follows:
- Lack of a risk analysis in the HIPAA compliance plan.
- Failure to give prompt access of PHI to patients upon request.
- Impermissible disclosures of PHI.
- Posting PHI on social media.
- Failure to provide HIPAA training to staff
- Allowing unauthorized access to PHI.
- Disclosure of more than the minimum necessary PHI.
- Failure to encrypt PHI on laptops and flash drives.
- Failure to notify the OCR appropriately of a security incident involving PHI.
Reporting of Violations
There are a variety of ways that violations come to light for investigation. Today due to the amount of information given to patients regarding their HIPAA rights it is likely the first complaint may arise from a patient. Patients are aware of their rights and are quick to make a complaint to the covered entity or business associate. On some occasions they may go directly to the Office for Civil Rights from where an investigation is likely to begin. Many reports of violations will originate within the organization. This may be due to the discovery of violations by the actions of internal audits. A well-functioning program will often identify employees who have violated the HIPAA Rules as stated in their compliance program. In some situations employees may report incidents in which they or their fellow workers believe represent violations.
The Privacy Officer receive the reports of potential violations who in turn completes a full analysis of the situation to determine if it is in fact a violation. Once the Privacy Officer has determined the situation represents a violation, they will be responsible for reporting to the Office for Civil Rights. For more on the reporting of breaches and violations please follow this link.
Investigating Violations
The HHS Office for Civil Rights is responsible for the enforcement of HIPAA Rules and investigates complaints of HIPAA violations. The OCR receives reports from patients, health plan members, covered entities and business associates. In addition, the OCR performs periodic audits of covered entities and business associates, covered by HIPAA. The OCR will review these complaints and determine if there in fact was a violation of the Privacy Rule.
Under HITECH state attorneys General also have the authority to investigate breaches on behalf of residents of their state.
Civil Penalties
A HIPAA violation as noted earlier is a situation in which a covered entity or a business associate fails to comply with one or more of the requirements of the HIPAA Privacy , Security or Breach Notification Rules. When the OCR reviews such events, they may submit a penalty but more often they are likely to resolve a case by voluntary compliance, offering technical guidance or by accepting a renewed plan from the covered entity or business associate that will prevent violations in the future. The most severe of HIPAA violations receive financial penalties.
The OCR will give penalties if violations are serious and if they have been allowed to persist for a long time or if there are multiple areas of noncompliance. The penalties are determined based on the following:
Penalty structure with four categories.
Tier 1: Did not know:
In the case of a violation of such provision in which it is established that the person did not know (and by exercising reasonable diligence would not have known) that such person violated such provision.
Penalty:
$100-$50,000 for each case $1,5000,000 per calendar year
Tier 2: Reasonable Cause:
In the case of a violation of such provision in which it is established that the violation was due to reasonable cause and not to willful neglect.
Penalty:
$1,000-50,000 per case $1,500,00 per calendar year
Tier 3: Willful Neglect – corrected:
In the case of a violation of such provision in which it is established that the violation was due to willful neglect. if the violation is corrected
Penalty:
$10.000-50,000 per case $1,500,000 per calendar year
Tier 4: Willful Neglect – not corrected:
In the case of a violation of such provision in which it is established that the violation was due to willful neglect. if the violation is not corrected
$50,000 per case $1,500,000 per calendar year
Criminal Penalties
All criminal violations of HIPAA are handled by the Department of Justice (DOJ). As described earlier in discussing HIPAA civil penalties, there are different levels of severity for criminal violations.
First, covered entities and specified individuals, who “knowingly” obtain or disclose individually identifiable health information, in violation of the Administrative Simplification Regulations, face a fine of up to $50,000, as well as imprisonment up to 1 year.
Second, offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to 5 years in prison.
Finally, offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment up to 10 years.
Criminal penalties may be directly applicable to covered entities which include:
- Health Plans
- Health care clearinghouses
- Health care providers who transmit claims in electronic form
- Medicare prescription drug card sponsors
Agents such as directors, employees or officers of the Covered Entity (CE) are directly criminally liable under HIPAA in accordance with “corporate criminal liability.” Where an individual of a CE is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.
Exclusion from Medicare
HHS has the authority to exclude from participation in Medicare any CE that was not compliant with the transaction and code set standards by Oct. 16, 2003.
Preventing HIPAA Violations
Follow the The Seven Steps of an Effective Compliance Plan. The Health Care Fraud Prevention and Enforcement Action Team (HEAT) within the Office for Civil Rights (OCR) issued a series of guidelines for Covered Entities and Business Associates called The Seven Fundamental Elements of an Effective Compliance Program. The Seven Elements describe the steps that OCR has deemed absolutely essential to a HIPAA compliance program. The seven elements of a compliance program are the minimum necessary requirements that HIPAA covered entities must have in place to address HIPAA privacy and security standards. These are the best steps an organization can take to prevent HIPAA violations.
For more information on the Seven Steps of Compliance follow this link
See how the following links will help you prevent HIPAA Violations.
Conclusion
In conclusion, it is important for every covered entity or business associate to understand the following.
- The importance of preventing violations
- The reporting of HIPAA violations
- The penalties involved
- How violations may affect your organization.