The Tiers of HIPAA violations

If you violate HIPAA, you will be fined. The penalty fee is determined by how serious the violation is. However, most cases are solved with a technical guidance from the OCR or agreeing to change your policy and procedures to prevent future violations. Financial penalties for HIPAA violations are reserved for the most serious violations of HIPAA Rules.


What Happens if you Violate HIPAA? – HIPAA Violation Classifications

What happens if you break HIPAA? Well, that depends. The Office for Civil Rights prefers to resolve violations using non-punitive measures, such as with voluntary compliance or issuing technical guidance to help covered entities address areas of non-compliance. But more serious violations may result in corrective action, such as termination of your business or even criminal charges.

The four categories used for the penalty structure are as follows:

  • Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
  • Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
  • Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
  • Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation

It is not always the case that a violation can be avoided. In this case, it would seem unfair to issue a fine for an unknown violation. As mentioned above, the Department of Health and Human Services (HHS) has the right to waive the fine if you are unaware of any violations. However, HHS cannot waive the fine if the violation involved willful neglect of data privacy and security standards.


HIPAA Financial Penalties

There are different penalties for each HIPAA violation. It´s up to OCR to choose an appropriate penalty from a range of possibilities. OCR considers many factors when deciding on a penalty, including how long the problem was allowed to continue, how many people were affected, and the nature of the information exposed. Whether or not your organization cooperates with the investigation is just as important as the facts underlying the case.

  • Tier 1:
    “Unaware of the HIPAA violation and by exercising reasonable due diligence would not have known HIPAA Rules had been violated.” Minimum fine of $100 per violation up to $50,000
  • Tier 2:
    “Reasonable cause that the covered entity knew about or should have known about the violation by exercising reasonable due diligence.” Minimum fine of $1,000 per violation up to $50,000
  • Tier 3:
    “Willful neglect of HIPAA Rules with the violation corrected within 30 days of discovery.” Minimum fine of $10,000 per violation up to $50,000 
  • Tier 4:
    Willful neglect of HIPAA Rules and no effort made to correct the violation within 30 days of discovery.” Minimum fine of $50,000 per violation
The fines listed above are the amount that the HITECH Act stipulates. It should be noted that these are adjusted annually to account for inflation. The civil monetary penalties for 2018 and 2019, adjusted for inflation, can be viewed on this link. 


I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.

Discover more from Patrick Domingues

Subscribe to get the latest posts to your email.

author avatar
Patrick Domingues

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.