Penalties for Non-Compliance of HIPAA: What Is the Fine? Can You Get Jail Time?

What Is a HIPAA Violation?

A HIPAA violation is the unauthorized disclosure of protected health information or the failure to provide timely access to patient data to authorized individuals against the mandates of the Health Insurance Portability and Accountability Act, or HIPAA. Those who follow Healthcare IT news will often see stories about large HIPAA settlements enforced by the US Department of Health & Human Services (HHS). The biggest violation so far in 2021 is Lifetime Healthcare Companies‘ violation, where 9.3 million people were affected and a $5.1 million fine was enforced. In 2020, Premera Blue Cross was the biggest violation; 10.4 million people were impacted and a $6.9 million fine was handed down.

No HIPAA violation situation is ever the same as another, and not all penalties will be as severe as the examples above. If your organization is found to be in violation of HIPAA, you won’t necessarily have to pay millions of dollars. Such massive penalties are only for the very worst offenders, but what are the general parameters for violations?

Summary of OCR HIPAA Settlements 2021

At the time of writing, October 2021, there have been eight settlements with the OCR so far this year. The majority of settlements are for healthcare organizations failing to give timely access to medical records, which is a mandatory requirement of HIPAA.

Covered Entity	Reason	Individuals Impacted	Amount
Diabetes, Endocrinology & Lipidology Center, Inc. (“DELC”)	Failed to give timely access to Patient Data	1	$5,000
AEON Clinical Laboratories (Peachstate)	Unsecured PHI in Telehealth App	3	$25,000
Banner Health ACE	Failed to give timely access to Patient Data	1	$200,000
Lifetime Healthcare Companies	Data Breach	93,000,000	$5,100,000
Renown Health, P.C	Failed to give timely access to Patient Data	1	$75,000
Sharp Rees-Stealy Medical Centers	Failed to give timely access to Patient Data	Unknown	$70,000
Arbour Hospital	Failed to give timely access to Patient Data	1	$65,000
Village Plastic Surgery	Failed to give timely access to Patient Data	1	$30,000

Historical OCR Settlements (2016-2020)

Source: HIPAA Journal
Following on from our 2021 figures, the HIPAA Journal has published data from 2016 to 2020. We have compiled this data to show the biggest penalties of each year.

Covered Entity	Reason	Individuals Impacted	Amount	Year
University of Rochester Medical Center	Loss of flash drive/laptop; no encryption	43	$3,000,000	2019
Sentara Hospitals	Breach notification failure; business associate agreement failure	577	$2,175,000	2019
Touchstone Medical Imaging	No BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure	307,839	$3,000,000	2019
Texas Department of Aging and Disability Services	Risk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients ePHI	6,617	$1,600,000	2019
Jackson Health System	Multiple Privacy Rule, Security Rule, and Breach Notification Rule violations	25,661	$2,154,000	2019
Cottage Health	Risk analysis and risk management failures; No BAA	62,500	3,000,000	2018
Anthem Inc	Risk analysis failure; Insufficient reviews of system activity; Failure to respond to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access	78,800,000	$16,000,000	2018
Fresenius Medical Care North America	Risk analysis failures; Impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards	521	$3,500,000	2018
University of Texas MD Anderson Cancer Center	3 breaches resulting in an impermissible disclosure of ePHI; No Encryption	34,883	$4,348,000	2018
Memorial Healthcare System	Impermissible access of PHI by employees; Impermissible disclosure of PHI to affiliated physicians’ offices	115,143	$5,500,000	2017
Cardionet	Theft of an unencrypted laptop computer	1,391	$2,500,000	2017
Memorial Hermann Health System	Disclosure of patient’s PHI to the media	1	$2,400,000	2017
21st Century Oncology	Multiple HIPAA violations	2,213,597	$2,300,000	2017
MAPFRE Life Insurance Company of Puerto Rico	Theft of an unencrypted USB storage device	2,209	$2,200,000	2017
Children’s Medical Center of Dallas	Theft of unencrypted devices	6,262	$3,200,000	2017

Legislative Basis

The OCR and Centers for Medicare & Medicaid (CMS) are authorized to enforce HIPAA. The amount of some penalties can be frighteningly high, including civil and criminal judgments.

The stimulus package that was adopted in 2009, called the American Recovery and Reinvestment Act (ARRA), detailed the specific minimum and maximum limits for healthcare privacy and security violations. “The Secretary of the Department of Health and Human Services (HHS) still has discretion in determining the amount of the penalty,” according to the American Medical Association, “based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.”

However, there is an exception: if the agency determines that you were not purposely neglectful, you will have one full month to rectify the situation.

Consequences of HIPAA Violations – Civil Penalties for HIPAA Non-Compliance

	HIPAA Violation	Minimum Penalty	Maximum Penalty
Scenario #1	The organization or employee  was unaware that they were in violation of the law, despite operating soundly	$100 for each instance of noncompliance, up to $25,000 total (the highest amount that can be assessed by an attorney general at the state level)	$50,000 for each instance, totaling up to $1.5 million
Scenario #2	The company was noncompliant not because of purposeful neglect but because of unexpected causes	$1000 for each instance, up to $100,000 total	$50,000 for each instance, totaling up to $1.5 million
Scenario #3	Purposeful neglect occurred, but the company took corrective action within an acceptable time window	$10,000 for each instance, up to $250,000 total	$50,000 for each instance, totaling up to $1.5 million
Scenario #4	Purposeful neglect occurred, and the company did not implement the steps of a corrective plan	$50,000 for each instance, up to $1.5 million total	$50,000 for each instance, totaling up to $1.5 million

HIPAA Non-Compliance Criminal Penalties – Can You Be Imprisoned?

According to data published by the HHS, up to 31st August 2021, the OCR has received nearly 273,000 compliance-related complaints, with over 1101 being investigated. However, in only 100 cases the OCR has settled or imposed a civil money penalty (since 2008), totaling $130,980,482.00 so far.

Jail terms are rare, but not unheard of. In February 2017, Jeffery Luke was jailed for stealing PHI from his employer’s secured Google Drive accounts. In January 2020, Stacey Lavette Hendricks was imprisoned for 48 months for PHI identity theft.

“Covered entities and specified individuals … who ‘knowingly’ obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000,” explained the AMA report, “as well as imprisonment up to one year.”

Sentencing can be more severe, though. Anything that violates the law and involves deception carries a maximum sentence of $100,000 and/or five years imprisonment. Violations that occur because individual plans to use the data for their own gain or for malevolent reasons are penalized with judgments up to $250,000, accompanied by prison sentences as high as ten years.

Covered Entities & Individual People

The Department of Justice decided that if it is determined that a crime has been committed, covered entities (healthcare plans, data clearinghouses, and providers) can be held directly liable. Leadership at a covered entity can also be subject to criminal investigation and sentencing by piercing the corporate veil. Even if someone in an executive position at a company where misuse takes place didn’t do anything that was specifically non-compliant, they still may be guilty as a co-conspirator or accomplice.

“Knowingly”

The Department of Justice specifically targeted a word within the HIPAA crime provisions that are a source of confusion: what does knowingly mean?

Knowingly refers to the highest criminal penalty situation listed above, the “for their own gain” scenario (bolded above). According to Law360, “Under the statute, covered entities and individuals who ‘knowingly’ obtain or disclose individually identifiable health information with the intent to” profit from it or hurt someone face the stiffest penalties.

The Department of Justice clarified in 2005 that the word referred to knowledge of HIPAA law rather than knowledge of a particular instance of noncompliance.

Exclusion & Upholding the Law

The federal government can remove any healthcare plan, provider, or clearinghouse from the Medicare system if they have not adopted a universal, standardized medical code. In terms of enforcement, the OCR identifies and punishes HIPAA privacy violations. The Centers for Medicare & Medicaid (CMS) oversees security and uniform code.

Choosing a Compliance Partner

As you see above, the consequences of violating HIPAA can be extreme. Even if you don’t get fined millions, it’s not a productive way to spend money, and it’s not fun to end up on the HIPAA Wall of Shame.

That’s why it’s extraordinarily important to choose a technological partner that specializes in healthcare HIPAA Compliance Hosting like Atlantic.Net. Our Virtual Private Servers offer a 100% uptime guarantee and can launch in under 30 seconds.

Atlantic.Net stands ready to help you attain fast compliance with a range of certifications, such as SOC 2 and SOC 3, HIPAA, and HITECH, all with 24x7x365 support, monitoring, and world-class data center infrastructure. For faster application deployment, free IT architecture design, and assessment, visit us at www.atlantic.net, call 888-618-DATA (3282), or email us at [email protected].