4.5 HIPAA Enforcement & Violations
Key Takeaways
- The HHS Office for Civil Rights (OCR) investigates HIPAA Privacy, Security, and Breach Notification complaints and enforces civil monetary penalties.
- Civil monetary penalties follow a four-tier culpability structure: No Knowledge, Reasonable Cause, Willful Neglect-Corrected, and Willful Neglect-Not Corrected, with penalties rising as culpability increases.
- Criminal HIPAA violations are prosecuted under 42 USC section 1320d-6 in three escalating tiers: knowing violations, false pretenses, and intent to sell or use PHI for personal gain.
- The HIPAA Omnibus Rule made Business Associates and their subcontractors directly liable for HIPAA compliance and enforcement.
- Civil penalty dollar amounts are adjusted annually for inflation, so candidates should learn the tier structure and severity ranking rather than memorize fixed figures.
Who Enforces HIPAA
The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. OCR investigates complaints, conducts compliance reviews and audits, and can require corrective action plans, resolution agreements, and civil monetary penalties (CMPs). The HHS Centers for Medicare & Medicaid Services enforces the Transactions, Code Sets, and Identifier standards. Criminal violations are referred to the U.S. Department of Justice.
The Four Civil Monetary Penalty Tiers
CMPs are tied to the violator's level of culpability. The amounts are statutory minimums and maximums per violation, adjusted each year for inflation, so the CPB exam expects you to know the tier structure and how penalties escalate — not exact dollar figures.
| Tier | Culpability | Description |
|---|---|---|
| Tier 1 — No Knowledge | Lowest | The entity did not know, and by exercising reasonable diligence would not have known, of the violation. Lowest penalty range. |
| Tier 2 — Reasonable Cause | Moderate | The violation was due to reasonable cause and not willful neglect; the entity should have been aware but did not act with willful neglect. |
| Tier 3 — Willful Neglect, Corrected | High | The violation was due to willful neglect — conscious or reckless disregard of HIPAA — but was corrected within the required 30-day period. |
| Tier 4 — Willful Neglect, Not Corrected | Highest | The violation was due to willful neglect and was NOT corrected in time. Highest penalty range, and a mandatory penalty. |
Each tier carries higher minimum and maximum amounts per violation, and an annual cap per identical violation type. Because the figures are CPI-adjusted annually, always confirm current amounts against the published HHS penalty schedule rather than relying on a memorized number.
Criminal Penalties Under 42 USC Section 1320d-6
Criminal HIPAA violations are prosecuted by the Department of Justice under 42 USC section 1320d-6. They apply when a person knowingly obtains or discloses individually identifiable health information in violation of HIPAA, and they escalate in three tiers:
| Criminal Tier | Conduct | Maximum Penalty |
|---|---|---|
| Knowing violation | Knowingly obtaining or disclosing PHI in violation of HIPAA | Up to $50,000 fine and up to 1 year imprisonment |
| False pretenses | Committing the offense under false pretenses | Up to $100,000 fine and up to 5 years imprisonment |
| Intent to sell or for personal gain | Intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm | Up to $250,000 fine and up to 10 years imprisonment |
The HIPAA Omnibus Rule
The HIPAA Omnibus Rule (effective 2013, implementing the HITECH Act) significantly strengthened enforcement. Its most important change for billers: it made Business Associates — and their subcontractors — directly liable for compliance with the Security Rule and applicable Privacy Rule provisions. Before Omnibus, only Covered Entities faced direct enforcement; afterward, OCR can penalize a billing company or clearinghouse directly. Omnibus also adopted the four-tier CMP structure, finalized the breach-presumption standard, and expanded patient access rights.
Compliance Takeaways for Billers
Billers reduce HIPAA risk by accessing only the PHI they need, never sharing login credentials, reporting suspected breaches immediately, and ensuring a signed BAA exists before any external PHI exchange. Willful neglect — ignoring known compliance gaps — produces the harshest penalties, so prompt correction always matters.
A clinic ignored repeated warnings that its claims system had no access controls and never conducted a risk analysis. After a breach, OCR finds the clinic consciously disregarded its HIPAA obligations and failed to fix the problem in the required timeframe. Which civil monetary penalty tier applies?
An employee at a billing company steals patient records intending to sell the identities to a fraud ring. Under which law and tier could this employee face the most severe consequences?