Cost of HIPAA Noncompliance

Think complying with HIPAA is a challenge? The cost of noncompliance is worse.

Common types of HIPAA violations

If you’re reading this blog, you know that if a company handles personal health information that they are required to be compliant with HIPAA. For Covered Entities, compliance can be even more challenging because their HIPAA compliance efforts are not only dependent on their own actions but they are responsible for their Vendors too. Ensuring that each and every one of your business associates are compliant can be time-consuming and costly.‍Even the signing of business associate agreements with your vendors is no guarantee that they will protect the PHI that they may come into contact with. Even with BAAs in place, 45% of healthcare providers have experienced a third party breach of PHI from their vendors. Because of the risk, HIPAA requires that vendors do more than simply sign an agreement. Vendors must comply with the security rule, which requires that business associates conduct risk analyses of their systems and address potential security risks. When breaches do occur, business associates are obligated under law to disclose the details of the breaches. The Breach Notification Rule of HIPAA requires that business associates notify covered entities of a breach of protected health information in a timely manner. The goal of these regulations is that covered entities and their business associates are proactive in regards to the security of PHI. However, many business associates and even covered entities don’t assess the risk of their systems regularly, leading to breaches and fines. Without regular and formal risk assessments, many business associates do not identify threats as well as the potential legal and financial impact of fines due to noncompliance with HIPAA. 

Most HIPAA violations can fall into one of three categories: Unencrypted Data, Employee Error, or breaches due to theft. 

Unencrypted Data

The Vast majority of data breaches are due to stolen or lost data that was unencrypted. Encrypting the data is an additional level of protection if a device containing PHI is lost or stolen. Additionally, encrypting the data provides further protection a device is somehow remotely accessed through hacking. While encryption is not a strict requirement of HIPAA, it is strongly recommended.

Loss or theft of Technology

One of the most common types of HIPAA violations is simply losing a device with PHI on it.  While there is really nothing that anyone can do to completely eliminate the risk of theft, encrypting the information on the device and protecting through the use of passcodes is generally enough to safeguard the data so in the event it does get stolen, the thieves will be unable to access the data.

Lack of employee Training

Breaches can occur when an employee loses a portable device, insecurely sends ePHI to venders who post may lose that information online, or discloses identifiable patient information in conversation. 

Every Employee who may come into contact with PHI be trained on HIPAA regulations and compliance. This is more than just a good idea - it is a requirement of HIPAA. When discussing PHI, employees should always be aware of who may be listening.

Related:  Common HIPAA Violations.

How much do HIPAA Violations Cost?

The cost of noncompliance to HIPAA can be crippling to an organization. The penalties for HIPAA noncompliance are based on the perceived level of negligence and can range from $100 to $50,000 per individual violation, with a max penalty of $1.5 million per calendar year for violations. Additionally, violations can also result in jail time for the individuals responsible. 


HIPAA breaks the penalties for noncompliance into four tiers:

  • First Tier: The covered entity did not know and could not reasonably known of the breach. Generally, these range to $100 to $50,000 per incident up to $1.5 million in penalties.
  • Second Tier: The covered entity knew or by exercising reasonable diligence would have known of the violation, though they did not act with willful neglect.  Fines for the second tier can range up to $1,000 to $50,000 per incident up to $1.5 million.
  • Third Tier: The covered entity “Acted with willful neglect” and corrected the problems with a 30 day period of the breach. Penalties for the third tier can range from $10,00 - $50,000 per incident up to $1.5 million.
  • Fourth Tier: The covered entity acted with willful neglect and failed to make a timely correction. Fines start at $50,000 per incident up to $1.5 Million.

If the HHS decides that there was deliberate malicious intent, the Department of Justice can step in. As with civil penalties for noncompliance, there are multiple tiers of penalties for violations that are considered criminal.

Prevent HIPAA Violations with Accountable

It’s important to remember that as easy as it is to violate HIPAA, implementing training and policies to safeguard PHI and your organization is easier. That is why we created Accountable: an all in one cloud-based platform to help you achieve and maintain HIPAA Compliance. We give you the tools you need to train your employees, manage your vendors, and identify risk within your organization.

Oh, and it’s free to get started.

Need HIPAA help?

Accountable can help you achieve HIPAA compliance for your company.

More Articles