There are various levels of criminal enforcement of HIPAA violations, with the lowest being a misdemeanor. Many people are confused at what exactly is a criminal charge, and they worry that if they do something accidentally, they will end up in jail. I would guess that accessing accessing a chart that you know you should not be looking at, would not fall under the category of “accidental”. At UCLA Medical Center, a Doctor served 4 months in prison for accessing a celebrity’s chart out of curiosity. The reason for this is because it fell under the terms of “false pretenses”. This would not be considered a felony because it was only 4 months, and the punishment for a felony must be more than one year.

One of the most penalties I see for HIPAA violations involve “willful neglect”. Basically, this means that you knew you were doing something wrong, maybe even spoken to about it, yet continued to do it anyway. The actual definition of willful neglect is: “means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated” Willful neglect enforcement can be anywhere from $10,000 to $50,000. The good news is that the mandatory penalties are reserved for only those violations that involve willful neglect; for other violations, covered entities and business associates may avoid penalties altogether if they correct the situation within 30 days. Even if they fail to correct the situation, the OCR may waive or reduce penalties if it determines that the penalties in a given case would be excessive. Covered entities and business associates should take appropriate action to ensure that they are not deemed to act with willful neglect. Among others, entities should:

  • Implement the written policies that are required by HIPAA as set forth in 45 CFR part 164, including those dealing with use and disclosure rules, electronic security, patient rights, breach notification, and administrative requirements.
  • Train employees and other workforce members concerning the policies, and document the training.
  • Immediately address and correct any potential HIPAA violation and document such actions, including the imposition of sanctions against those who violated HIPAA.
  • If required, notify patients and HHS of privacy breaches.
  • Cooperate with the OCR during any investigation.


Taking such actions should protect covered entities from a finding of “willful neglect” and the mandatory penalties that may otherwise follow.

Other Penalties

Another penalty I see for violations is reasonable cause. What this means is: The act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. As you can see, these are very close in meaning. You just need to be vigilant, and careful. Think before you peek!