Atlantic.Net Blog

Penalties for Non-Compliance of HIPAA – What Is the Fine? Can You Get Jail Time?

Editorial Team
by Atlantic.Net (215posts) under HIPAA Compliant Hosting
  • Example of HIPAA Violation
  • Legislative Basis
  • Consequences of HIPAA Violations – Civil Penalties
  • HIPAA Criminal Penalties – Can You Be Imprisoned?
  • Covered Entities & Individual People
  • “Knowingly”
  • Exclusion & Upholding the KLaw
  • Choosing a Compliance Partner

Example of HIPAA Violation

Those who follow Healthcare IT news will often see stories about large HIPAA settlements by the US Department of Health & Human Services, such as the $4.8 million HIPAA fines against Columbia University and New York Presbyterian Hospital in early 2014. No situation is the same, and not all settlements will be as severe as that one. In the Columbia University case, PHI was actually posted to the public Internet, with patient files accessible directly through search engines.

If your organization is found to be in violation of HIPAA, you won’t necessarily have to pay millions of dollars. What are the general parameters for violations?

Legislative Basis

The OCR and Centers for Medicare & Medicaid (CMS) are authorized to enforce HIPAA, and the extent of settlements can be quite frightening, including civil and criminal judgments.

The stimulus package that was adopted in 2009, called the American Recovery and Reinvestment Act (ARRA), detailed the specific minimum and maximum limits for healthcare privacy and security violations.

“The Secretary of the Department of Health and Human Services (HHS) still has discretion in determining the amount of the penalty,” according to the American Medical Association, “based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.”

However, there is an exception: if the agency determines that you were not purposely neglectful, you will have one full month to rectify the situation.

Consequences of HIPAA Violations – Civil Penalties for HIPAA Non-Compliance

  HIPAA Violation Minimum Penalty Maximum Penalty
Scenario #1 The organization or employee  was unaware that they were in violation of the law, despite operating soundly $100 for each instance of noncompliance, up to $25,000 total (the highest amount that can be assessed by an attorney general at the state level) $50,000 for each instance, totaling up to $1.5 million
Scenario #2 The company was noncompliant not because of purposeful neglect but because of unexpected causes $1000 for each instance, up to $100,000 total $50,000 for each instance, totaling up to $1.5 million
Scenario #3 Purposeful neglect occurred, but the company took corrective action within an acceptable time window $10,000 for each instance, up to $250,000 total $50,000 for each instance, totaling up to $1.5 million
Scenario #4 Purposeful neglect occurred, and the company did not implement the steps of a corrective plan $50,000 for each instance, up to $1.5 million total $50,000 for each instance, totaling up to $1.5 million

HIPAA Non-Compliance Criminal Penalties – Can You Be Imprisoned?

The Department of Justice specifically established criminal parameters for HIPAA law violations in June 2005.

Covered entities and specified individuals … who ‘knowingly’ obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000,” explained the AMA report, “as well as imprisonment up to one year.”

Sentencing can be more severe, though. Anything that violates the law and involves deception carries a maximum sentence of $100,000 and/or five years imprisonment. Violations that occur because an individual plans to use the data for their own gain or for malevolent reasons are penalized with judgments up to $250,000, accompanied by prison sentences as high as ten years.

Covered Entities & Individual People

The Department of Justice decided that if it is determined that a crime has been committed, covered entities (healthcare plans, data clearinghouses, and providers) can be held directly liable. Leadership at a covered entity can also be subject to criminal investigation and sentencing by piercing the corporate veil. Even if someone in an executive position at a company where misuse takes place didn’t do anything that was specifically noncompliant, they still may be guilty as a co-conspirator or accomplice.


The Department of Justice specifically targeted a word within the HIPAA crime provisions that is a source of confusion: what does knowingly mean?

Knowingly refers to the highest criminal penalty situation listed above, the “for their own gain” scenario (bolded above). According to Law360, “Under the statute, covered entities and individuals who ‘knowingly’ obtain or disclose individually identifiable health information with the intent to” profit from it or hurt someone face the stiffest penalties.

The Department of Justice clarified in 2005 that the word referred to knowledge of HIPAA law rather than knowledge of a particular instance of noncompliance.

Exclusion & Upholding the Law

The federal government can remove any healthcare plan, provider, or clearinghouse from the Medicare system if they have not adopted universal, standardized medical code.

In terms of enforcement, the OCR identifies and punishes for HIPAA privacy violations. The Centers for Medicare & Medicaid (CMS) oversees security and uniform code.

Choosing a Compliance Partner

As you see above, the consequences of violating HIPAA can be kind of extreme. Even if you don’t get fined millions, it’s not a great way to spend money; and it’s not fun to end up on the HIPAA Wall of Shame.

That’s why it’s extraordinarily important to choose a technological partner that specializes in healthcare HIPAA Compliance Hosting like Atlantic.Net. Our SSD Cloud Servers offer 100% uptime guarantee and can launch in under 30 seconds.

By Moazzam Adnan

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award Med Tech Award

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


HIPAA Partners

Recent Posts

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom