HIPAA violations can result in civil penalties, and, in some cases, criminal penalties. Here is general information about penalties to help covered dental practices understand some of the risks of violating HIPAA.
There are four tiered ranges of penalties for violating HIPAA. There are maximum penalty caps of up to $1.5 million for all violations of an identical provision during a calendar year.
|1. No Knowledge3
|3. Willful neglect,
|4. Willful neglect,
In many cases, the maximum penalty amount will not be imposed. Instead, the government will determine the amount of a penalty on a case-by-case basis, depending on the nature and extent of the violation and resulting harm, as well as other aggravating and mitigating factors. HIPAA contains a list of aggravating and mitigating factors that the government must consider when determining the amount of a penalty.
The aggravating and mitigating factors are listed in the HIPAA regulations at 45 CFR 160.408.
Examples of the factors include:
- The number of individuals affected
- Whether the violation caused physical, financial or reputational harm or hindered a patient’s ability to obtain health care
- The dental practice’s history of prior compliance or noncompliance
- The financial condition of the dental practice
- Whether the imposition of a civil penalty would jeopardize the dental practice’s ability to continue to provide health care
- The size of the dental practice
The government may waive a penalty in whole or in part to the extent that payment would be excessive relative to the violation, and the government has the discretion to settle any issue or case or to compromise the amount of civil penalty assessed for a HIPAA violation. Settlements often include a corrective action plan in addition to a monetary payment.
A HIPAA violation can also result in criminal penalties. According to the U.S. Department of Health and Human Services Office for Civil Rights (OCR):
A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.
Source: OCR, Summary of the HIPAA Privacy Rule, and scroll down to “Enforcement and Penalties for Noncompliance.”
For more information about HIPAA enforcement and penalties, see OCR, HIPAA Enforcement.
1 Per violation of an identical HIPAA requirement or prohibition.
2 Per violation of an identical HIPAA requirement or prohibition.
3 The covered entity or business associate did not know (and by exercising reasonable diligence, would not have known) that it violated the provision.
4 The violation was due to reasonable cause, and not willful neglect.
5 The violation was due to willful neglect that is corrected within 30 days.
6 The violation was due to willful neglect that is not corrected within 30 days.