Taking Care of Liability
The Nurse's Guide to Liability Insurance and HIPAA Compliance

Chapter 5: Financial Penalties for HIPAA Violations

Chapter 5: Financial Penalties for HIPAA Violations

Healthcare entities — from doctors and nurses to hospitals and health insurers — all need to follow the patient privacy regulations put forth by HIPAA. Failure to do so can result in seriously expensive fines ever since HITECH increased the maximum penalties in 2009.

Worth noting: in addition to HIPAA penalties, you can face criminal charges and jail time if you knowingly violate privacy laws by wrongfully obtaining or disclosing individually identifiable health information.

If a breach or an audit by the Department of Health and Human Services (HHS) reveals that a nurse failed to comply with HIPAA, the nurse can face steep financial penalties, usually at the discretion of the HHS. HIPAA fines are based on the nature and extent of the violation and the nature and extent of the harm the violation caused.

The American Medical Association New browser window icon. outlines the penalties based on specific types of violations:

HIPAA Violations and Penalties
HIPAA Violation Minimum Penalty Maximum Penalty

Individual did not know (and by exercising reasonable diligence would not have known) that they violated HIPAA

$100 per violation with an annual maximum of $25,000 for repeat violations

$50,000 per violation with an annual maximum of $1.5 million

HIPAA violation due to reasonable cause and not due to willful neglect

$1,000 per violation with an annual maximum of $100,000 for repeat violations

$50,000 per violation with an annual maximum of $1.5 million

HIPAA violation due to willful neglect but violation is corrected within the required time period

$10,000 per violation with an annual maximum of $250,000 for repeat violations

$50,000 per violation with an annual maximum of $1.5 million

HIPAA violation is due to willful neglect and is not corrected

$50,000 per violation with an annual maximum of $1.5 million

$50,000 per violation with an annual maximum of $1.5 million

While HIPAA protects the health information of individuals, it doesn't create a private cause of action for the individual affected by a violation. This means that an individual can't use a HIPAA violation as reason to sue. However, that might be changing as some state courts rule that upholding HIPAA privacy standards is part of a healthcare professional's job. In other words, a HIPAA violation may constitute as a form of professional negligence. We'll talk about that more in the next section.

Next: Chapter 6: When HIPAA Causes More than Fines

Grab-n-Go Information

Free eBook
HIPAA, Social Media, and Technology: A Guide for Mental Health Professionals
Browse eBook
Sample certificates
See a sample Certificate of Liability Insurance, the proof of coverage you need for most contracts.
View Sample
Sample Quotes & Cost Estimates
See what insurance really costs: actual quotes by policy & specialty.
Get Estimates
Ask A Question
Submit your questions about small business insurance and get answers from our experts.
Read Answers