Conduct Penalty per violation Penalty per identical type of violation per calendar year
Covered entity did not know and, by exercising reasonable diligence, would not have known of the violation $100 to $50,000

No penalty if corrected within 30 days.

OCR may waive or reduce penalties

Up to $1,500,000
Violation due to reasonable cause and not willful neglect $1,000 to $50,000

No penalty if corrected within 30 days.

OCR may waive or reduce penalties

Up to $1,500,000
Violation due to willful neglect but the violation is corrected within 30 days after the covered entity knew, or by exercising reasonable diligence, would have known that the violation occurred. $10,000 to $50,000

Penalties mandatory effective 2/18/11

Up to $1,500,000
Violation due to willful neglect but the violation was not corrected within 30 days after the covered entity knew, or by exercising reasonable diligence, would have known that the violation occurred At least $50,000

Penalties mandatory effective 2/18/11

Up to $1,500,000

PCI & HIPAA Fines

The OCR is now required to impose penalties ranging from $10,000 to more than $50,000 for HIPAA violations caused by willful neglect.

The federal HITECH Act has dramatically increased penalties for HIPAA violations. The following table summarizes the structure under the new enforcement rules:

“Willful neglect” means the “conscious, intentional failure or reckless indifference to the obligation to comply with [HIPAA]…” (45 CFR 164.401). The penalties confirm that HHS is committed to enforcing all aspects of HIPAA-not only its privacy provisions. HHS penalizes businesses that do not take OCR investigations seriously by weighing heavier fines against them.

Mandatory penalties are reserved for violations that involve willful neglect;for other violations, covered entities and business associates may avoid penalties altogether if they correct the error within 30 days. Even if they fail to completely remedy the situation, the OCR may waive or reduce penalties if it determines that the penalties are excessive given the efforts for compliance. Business associates and covered entities should take appropriate action to ensure that they are not deemed to act with willful neglect. Be sure to:

  • Train employees and other workforce members concerning the policies, and document the training.
  • Implement the written policies that are required by HIPAA as set forth in 45 CFR part 164, including those dealing with use and disclosure rules, electronic security, patient rights, breach notification, and administrative requirements.
  • Immediately address and correct any potential HIPAA violation and document such actions, including the imposition of sanctions against those who violated HIPAA.
  • Cooperate with the OCR during any investigation. If required, notify patients and HHS of privacy breaches.