|OCR enforces the Privacy and Security Rules in several ways:
HIPAA Enforcement Rule
HIPAA violations come in various shapes and sizes. If a business associate or covered entity is found to be in violation of the HIPPA standards, he/she can be faced with civil or criminal penalties The Secretary of the Department of Health and Human Services (HHS) is the one that will determine the punishment based on the extent of the violation and the harm that it causes; however the Secretary is not allowed to impose civil penalties if the violation is corrected within 30 days of its original occurrence, unless it is a violation caused by willful neglect.
The various HIPAA violations and its corresponding penalties are as follows: If the individual did not know that he/she violated HIPAA rules and would not have known even if they were reasonably diligent in trying to find out, the minimum penalty is $100 per violation and a maximum of $25,000 for repeat violations. The maximum penalty for all violations dealt with in the civil court is a minimum of $50,000 per violation and a maximum of $1.5 million per annum for repeat violations. In the case of violations that are the result of a reasonable cause and not willful neglect, the minimum penalty is $1,000 per violation and a maximum of $100,000 for repeat violations; the maximum penalty is the same as above. In cases where HIPAA has been violated because of willful neglect but was corrected within the required 30 days, the minimum penalty is $10,000 per violation and a maximum of $250,000 for repeat violations.
Finally if HIPAA is violated by willful neglect and is not corrected within the specified 30 days, the minimum penalty for this is $50,000 per violation and a maximum of $1.5 million per annum for repeat violations; the maximum penalties remain the same. Criminal penalties are applied in cases where a person covered by HIPAA standards knowingly discloses another person’s identifiable health information and violates Title II of HIPAA; in this case the violator may face a fine of up to $50,000 and imprisonment of up to one year; if the above mentioned violation is made under false pretences, the penalties may be increased to a fine of up to $100,000 and imprisonment of up to five years. Violations committed with the purpose of selling, transferring or using a person’s identifiable health information for commercial or personal gain, or to cause malicious harm, carries with it fines of up to $250,000 and up to ten years imprisonment. Violations are listed on this website.