What Happens If You Break the HIPAA Privacy Rule? Requirements and Response Steps

Civil Penalties for HIPAA Violations

HIPAA civil monetary penalties (CMPs) are administered by the HHS Office for Civil Rights Enforcement and scale with the level of culpability. OCR can assess penalties per violation and, for ongoing noncompliance, may count each day as a separate violation. Separate violations across the Privacy, Security, and Breach Notification Rules can be penalized independently, so total exposure can add up quickly.

The four-tier penalty structure (current inflation-adjusted ranges)

• Tier 1 — Lack of knowledge: $141 to $71,162 per violation.
• Tier 2 — Reasonable cause (not willful neglect): $1,424 to $71,162 per violation.
• Tier 3 — Willful neglect corrected within 30 days: $14,232 to $71,162 per violation.
• Tier 4 — Willful neglect not corrected within 30 days: $71,162 to $2,134,831 per violation.

Annual caps apply per “identical requirement or prohibition” violated in a calendar year. The Inflation Adjustment Act currently sets this calendar-year cap at $2,134,831. Under OCR’s 2019 enforcement discretion, the annual caps for Tiers 1–3 are lower (inflation-adjusted), while Tier 4 remains capped at $2,134,831. This means Covered Entity Compliance failures that are promptly corrected generally face significantly lower annual ceilings than uncorrected willful neglect.

How OCR classifies conduct

• Lack of knowledge: You did not know and could not reasonably have known a requirement was violated.
• Reasonable cause: You should have known and a reasonable effort would have prevented the violation.
• Willful neglect (corrected): You consciously disregarded requirements but fixed the issue within 30 days of discovery.
• Willful neglect (uncorrected): You did not correct within 30 days; penalties escalate sharply.

Common CMP triggers include failure to conduct an enterprise-wide risk analysis, delayed breach notifications, impermissible disclosures, insufficient access controls, and failure to provide patients timely access to their records (Right of Access).

Criminal Penalties and Legal Consequences

Criminal Liability under HIPAA is prosecuted by the Department of Justice and applies to knowing wrongful acts involving protected health information (PHI):

• Knowingly obtaining or disclosing PHI: up to $50,000 and up to one year in prison.
• Under false pretenses: up to $100,000 and up to five years in prison.
• With intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm: up to $250,000 and up to ten years in prison.

“Knowingly” refers to the intentional act of obtaining or disclosing PHI—not necessarily knowing your conduct violates HIPAA. Individuals (workforce members, executives, contractors) and organizations can face charges. Unintentional violations typically do not trigger criminal charges but can still draw civil penalties and corrective action obligations.

Breach Notification Requirements

The Breach Notification Rule requires action when there is a breach of unsecured PHI. “Unsecured” means PHI that is not properly encrypted or otherwise rendered unusable, unreadable, or indecipherable to unauthorized persons.

Risk assessment procedures (the 4-factor test)

You must presume an impermissible use or disclosure is a breach unless you document a low probability of compromise after evaluating:

• The nature and extent of PHI involved (identifiers and sensitivity).
• The unauthorized person who used the PHI or to whom it was disclosed.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (e.g., prompt retrieval, robust assurances of destruction).

Who to notify and when

• Individuals: Without unreasonable delay and no later than 60 calendar days after discovery. Use first-class mail (or email if the individual has opted in). If you lack contact info for 10+ individuals, provide substitute notice (e.g., prominent web posting or media) and maintain a toll-free number for at least 90 days.
• HHS Secretary:
  • Breaches affecting 500+ individuals: within 60 days of discovery.
  • Breaches affecting fewer than 500 individuals: log and report no later than 60 days after the end of the calendar year in which discovered (you may report earlier).
• Media: If 500+ residents of a state or jurisdiction are affected, notify prominent media outlets within 60 days.
• Business associates: Must notify the covered entity without unreasonable delay and no later than 60 days from discovery, supplying all available details.

Content of notices

Notices must explain what happened (including breach and discovery dates), the types of information involved, steps individuals should take, what you are doing to investigate and mitigate harm, and how to contact you with questions.

Law enforcement delay

If a law enforcement official determines that notice would impede a criminal investigation or damage national security, you may delay notification for the period requested in writing—or for up to 30 days on an oral request while you await written confirmation.

Corrective Actions and Mitigation Strategies

After a violation or breach, your goal is to limit harm, restore safeguards, and prove Covered Entity Compliance. Expect OCR to require documented Corrective Action Plans where gaps exist.

Immediate response steps

• Contain and investigate: Isolate affected systems, preserve logs and evidence, and engage forensics.
• Activate breach response governance: Convene privacy, security, legal, and leadership; brief your board as appropriate.
• Complete the risk assessment: Apply the four-factor analysis and document results; err on the side of timely notification.
• Mitigate harm: Reset credentials, block malicious access, rotate keys, and offer support like call centers and, where appropriate, credit monitoring.
• Communicate: Issue accurate, plain-language notices; prepare FAQs and scripts for frontline staff.

Elements of effective corrective action plans

• Risk analysis and risk management plan covering all systems that create, receive, maintain, or transmit ePHI.
• Updated policies and procedures (Privacy, Security, and Breach Notification Rules) with clear workforce sanctions.
• Role-based training and retraining; periodic phishing simulations and secure handling drills.
• Technical safeguards (least-privilege access, MFA, encryption in transit and at rest, audit logging, anomaly detection, prompt patching).
• Vendor management: Business associate due diligence, security addenda, and monitoring.
• Testing and monitoring: Regular evaluations, tabletop exercises, and metrics reported to leadership.
• Documentation: Maintain required records for at least six years.

Enforcement Examples and Case Studies

• PIH Health (2025): $600,000 settlement after a phishing attack compromised ePHI. OCR cited gaps in Security Rule implementation and required a multi-year corrective action plan.
• Comstar, LLC (2025): $75,000 settlement for a ransomware incident impacting over half a million individuals; OCR emphasized the lack of an accurate and thorough risk analysis.
• BST & Co. CPAs, LLP (2025): $175,000 settlement tied to a ransomware infection; the business associate agreed to beef up risk analysis, encryption, and workforce training under oversight.
• Providence Medical Institute (2024): $240,000 civil money penalty finalized related to Right of Access failures; OCR underscored the obligation to provide timely patient records.
• Cascade Eye & Skin Centers (2024): $250,000 settlement following a ransomware attack; OCR focused on Security Rule deficiencies and required a comprehensive corrective action plan.
• Right of Access Initiative (multiple years): Numerous settlements ranging from $5,000 to $200,000 where providers failed to provide records promptly, reinforcing that Privacy Rule access rights are an ongoing enforcement priority.

Understanding Penalty Calculation and Caps

OCR calibrates penalties using regulatory factors that weigh both aggravating and mitigating circumstances. Knowing how these apply helps you plan a defensible response and compliance strategy.

How OCR determines amounts

• Nature and extent of the violation: number of individuals affected and duration of noncompliance.
• Resulting harm: physical, financial, reputational harm, or hindrance to obtaining care.
• History: prior compliance issues and responsiveness to technical assistance.
• Financial condition and size: ability to continue operations and provide care.
• Other justice factors: unique case circumstances that merit adjustment.

Caps, counting, and enforcement discretion

• Annual cap: For identical provisions, total civil monetary penalties are capped per calendar year (currently $2,134,831).
• Counting violations: OCR may count each day of continuing noncompliance or each affected record/event, depending on the requirement violated.
• Reduced annual caps for lower tiers: Under OCR’s enforcement discretion, annual caps for Tiers 1–3 are substantially lower than the published global cap, provided issues are corrected promptly; Tier 4 remains at the higher cap.

Key takeaway

Most penalties are avoidable. If you promptly detect issues, document Risk Assessment Procedures, move quickly on Corrective Action Plans, and meet Breach Notification Rule timelines, you greatly reduce exposure—both to Civil Monetary Penalties and to reputational harm.

FAQs

What are the financial penalties for breaking the HIPAA Privacy Rule?

OCR can impose civil monetary penalties from $141 up to $2,134,831 per violation depending on culpability and facts, with an annual cap per identical requirement. Under current enforcement discretion, annual caps for lower tiers (lack of knowledge, reasonable cause, and corrected willful neglect) are significantly reduced, while uncorrected willful neglect remains subject to the highest cap. Separate violations across different HIPAA provisions can be penalized independently.

How soon must a breach be reported to affected individuals?

Notify without unreasonable delay and no later than 60 calendar days after discovery. For incidents affecting 500+ individuals, notify HHS within the same 60-day window and, if 500+ residents of a state or jurisdiction are affected, notify prominent media. For fewer than 500 individuals, you may log and report to HHS within 60 days after the end of the calendar year. A law enforcement request can delay notifications for a specified period.

What corrective actions are required after a HIPAA violation?

Expect to perform and document an enterprise-wide risk analysis, implement a risk management plan, update policies and procedures, retrain your workforce, strengthen technical safeguards (access controls, MFA, encryption, logging), address business associate risks, and monitor for sustained compliance. OCR frequently formalizes these steps in a multi-year corrective action plan.

Can criminal charges be filed for unintentional HIPAA violations?

Criminal charges require knowing wrongful conduct (for example, snooping, false pretenses, or using PHI for personal gain). Unintentional errors typically do not trigger criminal liability, but they can still lead to civil penalties, mandatory breach notifications, and corrective actions under OCR oversight.