What are the penalties for HIPAA violations?

HIPAA violations can result in civil penalties ranging from $100 to $50,000 per violation, with annual maximums up to $1.5 million. Criminal penalties can include fines up to $250,000 and imprisonment up to 10 years for willful violations.

Federal Law · Enacted 1996

HIPAA Definition

Q: What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a United States federal law enacted in 1996 that establishes national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.

Q: What does HIPAA stand for?

HIPAA stands for Health Insurance Portability and Accountability Act.

Q: Who must comply with HIPAA?

HIPAA applies to covered entities including healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates—organizations that handle Protected Health Information (PHI) on behalf of covered entities.

The complete guide to understanding the Health Insurance Portability and Accountability Act and what it means for healthcare organizations.

Official Definition

HIPAA (Health Insurance Portability and Accountability Act) is a United States federal law enacted in 1996 that establishes national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.

What Does HIPAA Stand For?

Health
Insurance
Portability
and
Accountability
Act

Why HIPAA Matters

HIPAA gives patients control over their health information. It sets boundaries on the use and release of health records, establishes safeguards that healthcare providers must achieve to protect the privacy of health information, and holds violators accountable with civil and criminal penalties.

The law applies to all forms of protected health information, whether electronic, written, or oral. Organizations that handle health data must implement comprehensive security measures and train their workforce on proper handling procedures.

Privacy Rule

Protects the privacy of individually identifiable health information, known as Protected Health Information (PHI). Establishes patient rights over their health information.

Security Rule

Sets standards for protecting electronic PHI (ePHI) through administrative, physical, and technical safeguards including encryption, access controls, and audit trails.

Breach Notification Rule

Requires covered entities to notify affected individuals, HHS, and sometimes media when unsecured PHI is breached within 60 days of discovery.

Enforcement Rule

Contains provisions relating to compliance and investigations, penalties for violations, and procedures for hearings.

Who Must Comply with HIPAA?

HIPAA applies to two categories of organizations that handle protected health information:

Covered Entities include healthcare providers (doctors, clinics, hospitals, pharmacies), health plans (insurance companies, HMOs, government programs like Medicare), and healthcare clearinghouses that process health information.

Business Associates are organizations that perform functions on behalf of covered entities involving PHI. This includes IT service providers, cloud hosting companies, billing services, consultants, attorneys, and accountants who have access to patient information.

From the Experts

Need HIPAA Compliant Hosting?

We've been helping healthcare organizations maintain HIPAA compliance since 2013. Get fully managed hosting with signed BAAs, encryption, and 24/7 monitoring.

Signed BAA Included
256-bit Encryption
24/7 Security Monitoring
Audit Logging

Learn More

What is Protected Health Information (PHI)?

Protected Health Information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. PHI includes 18 identifiers defined by HIPAA:

Names, geographic data smaller than a state, dates (except year) related to an individual, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number or code.

HIPAA Violation Penalties

The Office for Civil Rights (OCR) enforces HIPAA rules and can impose significant penalties for violations. Penalties are tiered based on the level of culpability:

HIPAA violation penalty tiers and fine ranges
Violation Tier	Penalty Range
Tier 1: Unaware Organization was unaware and could not have reasonably known	$100 – $50,000
Tier 2: Reasonable Cause Violation due to reasonable cause, not willful neglect	$1,000 – $50,000
Tier 3: Willful Neglect (Corrected) Willful neglect that was corrected within 30 days	$10,000 – $50,000
Tier 4: Willful Neglect (Not Corrected) Willful neglect that was not corrected	$50,000+

Annual maximums can reach $1.5 million per violation category. Criminal penalties for wrongful disclosure can include fines up to $250,000 and imprisonment up to 10 years.

Estimate Your Potential Breach Fine

Use this calculator to get an illustrative estimate of potential HIPAA violation fines based on the number of affected records and violation tier.

Estimated Fine Range

Disclaimer: This is an illustrative estimate only. Actual fines depend on many factors including prior violations, cooperation with investigators, harm caused, organization size, and corrective actions taken. OCR has broad discretion in determining penalties. This tool is for educational purposes and should not be used for legal or financial planning.

History of HIPAA

1996

HIPAA Enacted

Signed into law by President Bill Clinton on August 21, 1996, originally focused on health insurance portability.
2003

Privacy Rule Takes Effect

Compliance required for covered entities by April 14, 2003, establishing patient rights over health information.
2005

Security Rule Takes Effect

Compliance required for covered entities by April 20, 2005, mandating technical safeguards for ePHI.
2009

HITECH Act

Health Information Technology for Economic and Clinical Health Act expanded HIPAA requirements and significantly increased penalties.
2013

Omnibus Rule

Final rule implementing HITECH provisions, extending requirements to business associates and strengthening privacy protections.

Frequently Asked Questions

Is HIPAA only for hospitals and doctors?

No. HIPAA applies to all covered entities and their business associates. This includes health plans, healthcare clearinghouses, and any organization that handles PHI on behalf of covered entities—such as IT providers, billing companies, cloud hosts, and consultants.
What is a Business Associate Agreement (BAA)?

A BAA is a written contract between a covered entity and a business associate that establishes the permitted uses and disclosures of PHI. It requires the business associate to implement appropriate safeguards and report any breaches. Without a signed BAA, sharing PHI with a vendor is a HIPAA violation.
Does HIPAA apply to employee health records?

Employment records, including health information held by employers in their role as employers, are generally not covered by HIPAA. However, if an employer also acts as a covered entity (like a self-insured health plan), those health plan records are covered.
Can patients access their own health records under HIPAA?

Yes. HIPAA gives patients the right to access, inspect, and obtain copies of their health records. Covered entities must provide access within 30 days of a request and can charge a reasonable fee for copies.
What should I do if I suspect a HIPAA violation?

You can file a complaint with the HHS Office for Civil Rights (OCR) online, by mail, or by email. Complaints must be filed within 180 days of when you knew or should have known about the violation. OCR investigates complaints and can impose penalties.