4.5 HIPAA Enforcement & Violations

Key Takeaways

  • The HHS Office for Civil Rights (OCR) investigates HIPAA Privacy, Security, and Breach Notification complaints and enforces civil monetary penalties; CMS enforces the transactions and identifier standards.
  • Civil monetary penalties follow a four-tier culpability structure: No Knowledge, Reasonable Cause, Willful Neglect-Corrected, and Willful Neglect-Not Corrected, with penalty ranges rising as culpability increases.
  • Criminal HIPAA violations are prosecuted by the DOJ under 42 USC section 1320d-6 in three escalating tiers: knowing violations (up to $50,000 and 1 year), false pretenses (up to $100,000 and 5 years), and intent to sell or for personal gain (up to $250,000 and 10 years).
  • The HIPAA Omnibus Rule (2013, implementing HITECH) made Business Associates and their subcontractors directly liable for HIPAA compliance and enforcement.
  • Civil penalty dollar amounts are adjusted annually for inflation, so candidates should learn the tier structure and severity ranking rather than memorize fixed civil figures.
Last updated: June 2026

Who Enforces HIPAA

The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. OCR investigates complaints, conducts compliance reviews and audits, and can require corrective action plans (CAPs), resolution agreements, and civil monetary penalties (CMPs). A separate agency, the Centers for Medicare & Medicaid Services (CMS), enforces the Transactions, Code Sets, and Identifier standards. When a violation appears criminal, OCR refers it to the U.S. Department of Justice (DOJ), because OCR itself holds only civil enforcement authority. Knowing the OCR-vs-CMS-vs-DOJ split is a recurring exam point.

The Four Civil Monetary Penalty Tiers

CMPs are tied to the violator's level of culpability — how much the entity knew or should have known. The amounts are statutory minimums and maximums per violation, adjusted each year for inflation, so the CPB exam expects you to know the tier structure and how penalties escalate, not exact current dollars.

TierCulpabilityDescription
Tier 1 - No KnowledgeLowestThe entity did not know, and by exercising reasonable diligence would not have known, of the violation. Lowest penalty range.
Tier 2 - Reasonable CauseModerateThe violation was due to reasonable cause and not willful neglect; the entity should have been aware but the failure was not conscious disregard.
Tier 3 - Willful Neglect, CorrectedHighThe violation was due to willful neglect (conscious or reckless disregard of HIPAA) but was corrected within the required 30-day period.
Tier 4 - Willful Neglect, Not CorrectedHighestThe violation was due to willful neglect and was NOT corrected within 30 days. Highest penalty range and a mandatory penalty.

Each tier carries a higher minimum and maximum per violation and an annual cap per identical violation type. The decisive exam concept is prompt correction: a willful-neglect violation that is fixed within 30 days lands in Tier 3, while the same violation left uncorrected jumps to Tier 4. Because the figures are CPI-adjusted, always confirm current amounts against the published HHS penalty schedule rather than relying on a memorized number.

Criminal Penalties Under 42 USC Section 1320d-6

Criminal HIPAA violations are prosecuted by the DOJ under 42 USC section 1320d-6. They apply when a person knowingly obtains or discloses individually identifiable health information in violation of HIPAA, and they escalate in three tiers:

Criminal TierConductMaximum Penalty
Knowing violationKnowingly obtaining or disclosing PHI in violation of HIPAAUp to $50,000 fine and up to 1 year imprisonment
False pretensesCommitting the offense under false pretensesUp to $100,000 fine and up to 5 years imprisonment
Intent to sell or for personal gainIntent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harmUp to $250,000 fine and up to 10 years imprisonment

Unlike the CPI-adjusted civil amounts, these criminal maximums are written into statute and are a reliable memorization target for the exam.

The HIPAA Omnibus Rule

The HIPAA Omnibus Rule (effective 2013, implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act) significantly strengthened enforcement. Its most important change for billers: it made Business Associates — and their subcontractors — directly liable for compliance with the Security Rule and applicable Privacy Rule provisions. Before Omnibus, only Covered Entities faced direct OCR enforcement; afterward, OCR can penalize a billing company, clearinghouse, or IT vendor directly.

Omnibus also adopted the four-tier CMP structure, finalized the breach-presumption (low-probability-of-compromise) standard, expanded patient access rights, and tightened marketing and sale-of-PHI rules.

Compliance Takeaways for Billers

Billers reduce HIPAA risk every day with a short set of habits:

  • Access only the PHI you need for the task (minimum necessary)
  • Never share login credentials and always log off shared workstations
  • Report any suspected breach or snooping to the privacy/security officer immediately
  • Confirm a signed BAA exists before any external PHI exchange
  • Verify identity before releasing information by phone

Willful neglect — ignoring known compliance gaps — produces the harshest penalties in both the civil and criminal frameworks, so prompt detection and correction always matter.

How Enforcement Actually Begins

OCR enforcement usually starts in one of three ways: a complaint filed by a patient or employee, a self-reported breach (especially a 500+ breach that hits the public portal), or a proactive compliance audit. OCR first determines whether it has jurisdiction and whether the facts describe a violation. Most investigations resolve through voluntary compliance, technical assistance, or a corrective action plan rather than a fine — OCR's stated preference is correction over punishment.

A formal CMP or a negotiated resolution agreement with a monetary settlement is reserved for serious or repeated failures, and those settlements very often cite the same root causes: no risk analysis, no encryption, no BAA, or impermissible disclosures.

Two distinctions are worth locking in for the exam. First, OCR handles civil enforcement while the DOJ prosecutes the criminal tiers — an individual employee who steals records faces criminal exposure even though the employer faces civil exposure. Second, individuals generally cannot sue under HIPAA itself (there is no private right of action); they file complaints with OCR, though state laws may give separate remedies. Knowing that HIPAA channels complaints to OCR rather than to a courtroom is a frequently tested point.

Test Your Knowledge

A clinic ignored repeated warnings that its claims system had no access controls and never conducted a risk analysis. After a breach, OCR finds the clinic consciously disregarded its HIPAA obligations and failed to fix the problem within the required timeframe. Which civil monetary penalty tier applies?

A
B
C
D
Test Your Knowledge

An employee at a billing company steals patient records intending to sell the identities to a fraud ring. Under which law and tier could this employee face the most severe consequences?

A
B
C
D