In incidents of non-compliance, an organization must reach a resolution agreement with HHS. This is a signed contract in which the covered entity agrees to perform certain obligations, such as staff training or reporting requirements, generally for three years. During that period, HHS monitors compliance. A resolution agreement likely would include a penalty payment. According to the HHS website, these agreements are reserved for investigations with more serious outcomes. Absent a resolution, civil money penalties may be imposed.
Breach Penalties
Penalties for HIPAA violations may range from $100 to $50,000 per violation of one individual’s Protected Health Information (PHI). The cap for a calendar year is $1.5 million. In incidents of non-compliance, an organization must reach a resolution agreement with the U.S. Department of Health and Human Services (HHS). This is a signed contract in which the covered entity agrees to perform certain obligations, such as staff training or reporting requirements, generally for three years.
A resolution agreement likely would include a monetary penalty. These agreements are reserved for investigations with more serious outcomes, according to the HHS website. Absent a resolution, HHS may impose civil penalties.
Headlines from recent cases include:
-
$800,000 HIPAA Settlement in Medical Records Dumping Case – June 23, 2014
-
Data Breach Results in $4.8 Million HIPAA Settlements – May 7, 2014
-
Concentra Settles HIPAA Case for $1,725,220 – April 22, 2014
-
County Government Settles Potential HIPAA Violations – March 7, 2014
To get a sense of common violations, see this chart from HHS titled Top Ten Issues in Investigated Cases Closed with Corrective Action, from 2003 to 2013:
| Year | Issue-1 | Issue-2 | Issue-3 | Issue-4 | Issue-5 |
| 2013 | Impermissible Uses & Disclosures | Safeguards | Access | Minimum Necessary | Mitigation |
| 2012 | Impermissible Uses & Disclosures | Safeguards | Access | Minimum Necessary | Mitigation |
| 2011 | Impermissible Uses & Disclosures | Safeguards | Access | Minimum Necessary | Mitigation |
| 2010 | Impermissible Uses & Disclosures | Safeguards | Access | Complaints | Minimum Necessary |
| 2009 | Impermissible Uses & Disclosures | Safeguards | Access | Minimum Necessary | Complaints to Covered Entity |
| 2008 | Impermissible Uses & Disclosures | Safeguards | Access | Minimum Necessary | Complaints to Covered Entity |
| 2007 | Impermissible Uses & Disclosures | Safeguards | Access | Minimum Necessary | Notice |
| 2006 | Impermissible Uses & Disclosures | Safeguards | Access | Minimum Necessary | Notice |
| 2005 | Impermissible Uses & Disclosures | Safeguards | Access | Minimum Necessary | Mitigation |
| 2004 | Impermissible Uses & Disclosures | Safeguards | Access | Minimum Necessary | Authorizations |
| partial year 2003 | Safeguards | Impermissible Uses & Disclosures | Access | Notice | Minimum Necessary |
The chart Enforcement Results by Yearb shows the enforcement results by calendar year according to the type of closure, which includes the percentage of the total resolutions for each category. This is the number of complaints that OCR had resolved.
| Year | Investigated: No violation | Resolved after intake and review | Investigated: corrective action obtained | Total resolutions |
| Partial Year 2003 | 79 (5%) | 1177 (78%) | 260 (17%) | 1516 |
| 2004 | 360 (7%) | 3406 (71%) | 1033 (22%) | 4799 |
| 2005 | 642 (11%) | 3889 (68%) | 1162 (21%) | 5693 |
| 2006 | 897 (14%) | 4128 (62%) | 1574 (24%) | 6599 |
| 2007 | 727 (10%) | 5017 (69%) | 1494 (21%) | 7238 |
| 2008 | 1180 (13%) | 5940 (63%) | 2221 (24%) | 9341 |
| 2009 | 1211 (15%) | 4749 (59%) | 2146 (26%) | 8106 |
| 2010 | 1529 (17%) | 4951 (54%) | 2709 (29%) | 9189 |
| 2011 | 1302 (16%) | 4466 (53%) | 2595 (31%) | 8363 |
| 2012 | 979 (10%) | 5067 (54%) | 3361 (36%) | 9407 |