HIPAA sets severe penalties for non-compliance. The penalties may be:

  1. Civil
  2. Criminal
  3. Financial
  4. Imprisonment

Under “General Penalty for Failure to Comply with Requirements and Standards” of Public Law 104-191, the Health Insurance Portability and Accountability Act of 1996, Section 1176 says that the Secretary can impose fines for non-compliance as high as $100 per offense, with a maximum of $25,000 per year on any person who violates a provision of this part.

Under “Wrongful Disclosure of Individually Identifiable Health Information,” Section 1177 states that a person who knowingly:

  1. uses or causes to be used a unique health identifier;
  2. obtains individually identifiable health information relating to an individual; or
  3. discloses individually identifiable health information to another person,
    1. shall be fined not more than $50,000, imprisoned not more than 1 year, or both:
      1. if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
      1. if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

Complaints and Enforcement

PART OF ADMINISTRATIVE SIMPLIFICATION

RESPONSIBLE FOR ENFORCEMENT

Privacy

HHS Office for Civil Rights (OCR)
Fact Sheet: How to File a Health Information Privacy Complaint
Complaints, which must be submitted in writing within 180 days of unauthorized disclosure, can be faxed or mailed to the appropriate OCR regional office, or sent via email.

Transactions and Code Sets

Centers for Medicare & Medicaid Services (CMS)
CMS and OCR will work together on outreach and enforcement and on issues that touch on the responsibilities of both organizations – such as the application of security standards or exception determinations.
CMS’ Online Complaint Submission Form allows complaints to be submitted about covered entities’ non-compliance with the HIPAA transaction standards. Complaints can also be submitted on a paper-based form available by download from the site (PDF).

Security

Centers for Medicare & Medicaid Services (CMS)

Identifiers

Centers for Medicare & Medicaid Services (CMS)