HIPAA Penalties

Penalties for contravention of federal laws are typically set according to the severity of the offense and the magnitude of its consequences. Criminal penalties prescribed by HIPAA, the medical privacy law introduced in 1996, are no exception. The more serious and intentional the breach, the more severe consequences an offender should expect to face.

Breaching HIPAA Federal Law

There are three main categories of "wrongful disclosure" offenses that a person or organization might commit concerning HIPAA regulations. The first level of HIPAA offense is when a person or an organization discloses or obtains individually identifiable health information protected by HIPAA. This violation carries a penalty of $50,000, a prison term of up to one year, or in some cases, both.

The second type of offense is when a person discloses or obtains individually identifiable health information under false pretenses. Given the added element of deception involved, the penalties for this offense are accordingly higher. Such offenses can be punished by penalties of $100,000, jail sentences of up to five years, or both.

The third, and most serious category of offense, is when a person or organization discloses or obtains individually identifiable health information with the intent to sell that information or use it to commercial advantage. Violations that fall into this category can be punished by fines of $250,000 and jail sentences of up to ten years, or both.

While offenders that can prove they breached HIPAA regulations unintentionally may face a significantly higher level of judicial leniency, anyone who knowingly and deliberately breaches HIPAA laws for any purpose can expect severe penalties.