Enforcement & Consequences for Non-Compliance


In incidents of non-compliance, an organization must reach a resolution agreement with the U. S. Department of Health and Human Services (HHS). This is a signed contract in which the covered entity agrees to perform certain obligations, such as staff training or reporting requirements, generally for three years. During that period, HHS monitors compliance. A resolution agreement likely would include a penalty payment. According to the HHS website, these agreements are reserved for investigations with more serious outcomes. Absent a resolution, civil money penalties may be imposed.


Breach Penalties

Penalties for HIPAA violations may range from $100 to $50,000 per violation of one individual's Protected Health Information (PHI). The cap for a calendar year is $1.5 million.


Headlines from recent cases include:


To get a sense of common violations, see this chart from HHS titled Top Ten Issues in Investigated Cases Closed with Corrective Action, from 2003 to 2013:

Year Issue-1 Issue-2 Issue-3 Issue-4 Issue-5
2013 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Mitigation
2012 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Mitigation
2011 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Mitigation
2010 Impermissible Uses & Disclosures Safeguards Access Complaints Minimum Necessary
2009 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Complaints to Covered Entity
2008 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Complaints to Covered Entity
2007 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Notice
2006 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Notice
2005 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Mitigation
2004 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Authorizations
partial year 2003 Safeguards Impermissible Uses & Disclosures Access Notice Minimum Necessary

The chart Enforcement Results by Year shows the enforcement results by calendar year according to the type of closure, which includes the percentage of the total resolutions for each category. This is the number of complaints that OCR had resolved.

Year Investigated: No violation Resolved after intake and review Investigated: corrective action obtained Total resolutions
Partial Year 2003 79 (5%) 1177 (78%) 260 (17%) 1516
2004 360 (7%) 3406 (71%) 1033 (22%) 4799
2005 642 (11%) 3889 (68%) 1162 (21%) 5693
2006 897 (14%) 4128 (62%) 1574 (24%) 6599
2007 727 (10%) 5017 (69%) 1494 (21%) 7238
2008 1180 (13%) 5940 (63%) 2221 (24%) 9341
2009 1211 (15%) 4749 (59%) 2146 (26%) 8106
2010 1529 (17%) 4951 (54%) 2709 (29%) 9189
2011 1302 (16%) 4466 (53%) 2595 (31%) 8363
2012 979 (10%) 5067 (54%) 3361 (36%) 9407

10 Step HIPAA Plan

  • Step 1: Confirm you are a covered entity +

    What's Inside:
    Lists of who is generally covered and who is not, plus contact for inquiries.
  • Step 2: Provide leadership +

    What's Inside:
    • 7-page HIPAA basics
    • 62-page guide to security and privacy of ePHI
  • Step 3: Document processes, findings, and actions +

    What's Inside:
    Templates for Security Policies and Procedures
  • Step 4: Conduct a security risk analysis +

    What's Inside:
    INTRODUCTORY:
    • Guides
    • Short videos
    • Interactive quizzes on risk assessment and contingency preparation
    • 10 common myths

    ADVANCED:
    Interactive tutorial – 156 questions with fill-able PDFs for Windows or iPad. All material from federal sources.
  • Step 5: Develop an action plan +

    What's Inside:
    INTRODUCTORY:
    • 11-page overview on ePHI for small practices
    • 4-page Q&A addresses email with patients
    • Checklists

    ADVANCED:
    Toolkit on 45 implementation specifications
  • Step 6: Manage and mitigate risks +

    What's Inside:
    Overview of expectations.
  • Step 7: Prevent breaches +

    What's Inside:
    • Form for reporting brief notification
    • Links to details on the notification process and what constitutes a breach.
  • Step 8: Communicate with patients +

    What's Inside:
    FOR ALL:
    Privacy notice templates to help achieve meaningful consent, in English & Spanish.

    INTRODUCTORY:
    Professionals' guide covering 2013 updates on communications.

    ADVANCED:
    Electronic toolkit with patient education and meaningful consent sample materials.
  • Step 9: Update or execute Business Associate Agreements (BAAs) +

    What's Inside:
    Sample Business Associate Agreement (BAA) provisions.
  • Step 10: Attest to Compliance with Security Objectives +

    What's Inside:
    INTRODUCTORY:
    • Tip sheets
    • Short videos
    • Overviews

    ADVANCED:
    • 94-page guide on the EHR incentive program
    • Beginners' toolkit on reporting to the government

    All from federal sources.
  • 1

Login

Member Access