Lead the AI era of GRC at Elevate 2026 — Join us April 22–24 in Atlanta Register nowarrow_forward

menu

Lead the AI era of GRC at Elevate 2026 — Join us April 22–24 in Atlanta Register now

arrow_forward

language

Products

arrow_drop_down

Solutions

arrow_drop_down

Resources

arrow_drop_down

Diligent AI

Request a demo

Governance

Risk

Compliance

Audit

Diligent Boards

Automate meeting prep, secure sensitive data and give directors the clarity to make the best decisions.

BoardEffect

Secure, flexible board management software for nonprofits and higher education.

Community

Increase transparency, streamline governance and empower your school board or local government.

Diligent Market Intelligence

On-demand access to exclusive shareholder activism, executive compensation and ESG data.

FEATURED

Diligent One Platform

Centralize and unify all your board management and GRC activities

Role

Use Cases

Company Type

Industries

General Counsel

Safeguard your organization with centralized oversight of governance, risk and compliance.

Corporate Secretary

Run governance flawlessly with AI tools that eliminate busywork and ensure audit-readiness.

Executive Assistant

Streamline board prep, communications and approvals with AI workflows for seamless meetings.

C-Suite

Accelerate decisions and inspire confidence with AI-powered reporting and real-time risk intelligence.

Directors & Trustees

Prepare faster, mitigate risk and make smarter decisions with purpose-built board tools.

Risk Manager

See enterprise risk in real time, act decisively, and deliver AI-powered insights.

Information Security

Unify IT risk, compliance and cyber oversight in one secure platform.

Compliance Officer

Turn regulatory obligations into clear, actionable metrics — proving compliance and ROI.

Internal Auditor

Connect audit management, analytics and monitoring in a secure, AI-powered hub.

FEATURED

Diligent One Platform

Centralize and unify all your board management and GRC activities

Content Library

Case Studies

Virtual Summits

Events

Resources Hub

Discover all of Diligent's insights in one place. Stay ahead of trends with expert perspectives, exclusive research and information you won't find anywhere else.

MEDIA TYPE

Blog Guides Videos Podcasts Content Toolkits Research & Reports

BY TOPIC

Governance Risk & Audit Compliance AI & Cyber Public Sector Diligent Institute

FEATURED

Diligent named a Leader in 2025 Gartner® Magic Quadrant™ for GRC

HIPAA penalties: What are they & how can you avoid them?

July 29, 2022

•

7 min read

Kezia Farnham

Senior Manager

Share:

HIPAA: many people know the acronym, but few know what it stands for, where it comes from or even the multitude of HIPAA penalties that can impact their organization.

HIPAA refers to the Health Insurance Portability and Accountability Act of 1996, which requires healthcare providers to safeguard patients’ Protected Health Information (PHI). Protecting PHI means strictly controlling when and with whom healthcare providers share sensitive information. Any time an organization shares PHI with an unauthorized person or in an unauthorized place (intentionally or otherwise), the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general can issue a HIPAA violation.

Though these violations do come with financial penalties, fines are just one way OCR enforces HIPAA among healthcare providers, health insurance providers and all other covered entities.

Here’s what organizations need to know about HIPAA violations and what they can do to avoid penalties.

What Are the Penalties for HIPAA Violations?

HIPAA penalties aren’t always punitive. In fact, OCR will often issue technical guidance or request compliance to help covered entities address their gaps in meeting HIPAA guidelines. But when violations are serious, OCR does employ more punitive measures, which involve both financial penalties as well as additional operational requirements.

According to OCR, a “serious” violation includes those that last for a long length of time, impact a large number of people or involve especially sensitive patient data. Should an organization violate HIPAA in any of these three ways, OCR can issue a fine according to four different violation tiers; the higher the violation tier, the steeper the HIPAA penalties.

The HITECH Act of 2009 set the maximum penalty at $1.5 million per year, though OCR re-interpreted the HITECH Act in 2019 to set different maximum penalties depending on the tier/level of culpability.

Tier 1 HIPAA Penalties

Tier 1 is reserved for organizations that unknowingly violate HIPAA. Though these organizations are ultimately responsible for lapses in PHI standards, they were still taking steps to meet HIPAA standards and could not have realistically avoided the violation.

Tier 1 Definition & Penalties:

The covered entity was unaware of the violation and could not have avoided it. They took a reasonable amount of care to meet HIPAA standards.

Min. Penalty Per Violation (inflation-adjusted)	Max. Penalty Per Violation (inflation-adjusted)	Min. Penalty Per Year (inflation-adjusted)
$120	$30,113	$30,113

Tier 2 HIPAA Penalties

Organizations guilty of a Tier 2 violation should have known about their HIPAA violation, but this tier recognizes that the violation was nonetheless unavoidable. In other words, the violation does not rise to the level of willful neglect.

Tier 2 Definition & Penalties:

The covered entity should have been aware of the violation, but did not willfully neglect HIPAA standards.

Min. Penalty Per Violation (inflation-adjusted)	Max. Penalty Per Violation (inflation-adjusted)	Min. Penalty Per Year (inflation-adjusted)
$1,205	$60,226	$120,452

Tier 3 HIPAA Penalties

If an organization committed a Tier 3 violation, it willfully neglected HIPAA standards. The organization can lessen the severity of the violation and, therefore, the HIPAA penalty if they can prove they tried to correct the violation.

Tier 3 Definition & Penalties:

The covered entity willfully neglected HIPAA standards, but tried to correct the violation.

Min. Penalty Per Violation (inflation-adjusted)	Max. Penalty Per Violation (inflation-adjusted)	Min. Penalty Per Year (inflation-adjusted)
$12,045	$60,226	$301,130

Tier 4 HIPAA Penalties

OCR reserves Tier 4 for the most serious violations. Organizations that fall under Tier 4 both willfully neglected HIPAA standards and made no attempt to correct the violation once they became aware of it.

Tier 4 Definition & Penalties:

The covered entity willfully neglected HIPAA standards and did not try to correct the violation.

Min. Penalty Per Violation (inflation-adjusted)	Max. Penalty Per Violation (inflation-adjusted)	Min. Penalty Per Year (inflation-adjusted)
$60,226	$1,806,775	$1,806,775

HIPAA Violation Reporting

All employees of covered entities are responsible for reporting HIPAA violations. It’s important that those working in healthcare and healthcare insurance understand when a HIPAA violation occurs and how they can report it internally and to the appropriate governing bodies.

Covered entities should provide HIPAA training to all employees and let them know to whom they should report. This individual will investigate internally and determine whether or not a HIPAA violation has occurred. If it has, they’ll also be the one to escalate the report to OCR.

The HIPAA complaint process goes as follows: anyone can file a complaint via mail, fax, email or the OCR complaint portal. The complaint should name the covered entity or employee and explain the incidents believed to have violated HIPAA. Complaints should be filed within 180 days, although this can be extended if the filer can show “good cause.”

What Are the Most Common HIPAA Violations?

Organizations don’t always knowingly commit HIPAA violations, making it even harder to prevent HIPAA penalties. In fact, many HIPAA violations are unintentional and often due to gaps in data security practices or improper employee training. Regular compliance audits can help organizations identify these gaps in their practices. We've identified these five issues as the most common HIPAA violations:

Data Wasn’t Secured or Encrypted: Inadequate data security can leave organizations vulnerable to breaches. But this isn’t just due to hackers. If a physician leaves a chart in an exam room and another patient sees it, this subjects the organization to potential HIPAA penalties. Organizations are also vulnerable if physicians text unsecured patient information to other physicians, log in from an unsecured device at home to finish charting or even leave patient charts open on a desktop after they walk away.
Devices Were Stolen: Device theft may not seem like a threat, but this is a major source of HIPAA violations. When unencrypted devices like laptops, mobile phones and more get stolen, valuable PHI can be compromised.
Employees Mishandled PHI: HIPAA violations can happen if employees disclose information to unauthorized family members, discuss PHI in public settings or leave files with PHI where unauthorized individuals can see them.
Partnership Agreements Didn’t Meet Standards: Healthcare organizations have countless partnerships to help share data with patients and other providers. This can leave organizations vulnerable to HIPAA violations, especially if the partner company is purchased by another company, if contracts are handled off-site or partners are brought on without proper training on PHI.
Employees Didn’t Receive Proper Training: HIPAA violations often happen because employees don’t know they’re mishandling PHI. Organizations must provide adequate training, such as what HIPAA is, what the rules are, how to avoid breaches and how to make HIPAA compliance part of their daily activities.

How to Prevent Violations and Avoid HIPAA Penalties

Preventing a HIPAA violation and avoiding HIPAA penalties doesn’t always require overhauling an organization’s information systems. Though data security should be at the top of the list for any healthcare organization, there are several other things covered entities can incorporate into their governance to reduce the likelihood of a HIPAA violation.

End-to-End Data Encryption: This ensures PHI is only accessible to authorized users.
Firewalls and Antivirus Software: Using tools like these can put valuable gatekeepers between sensitive PHI and bad actors.
Cybersecurity Training: Ensure employees have the information they need to sidestep malware, phishing, ransomware and more, all of which can lead to HIPAA penalties.
Safe Disposal of PHI: Whether organizations hire a paper-shredding agency or have their own shredding protocol, it’s important that PHI is securely disposed of and not just tossed in the recycle bin.
Proper Device Management: Mismanaged devices are at huge risk for breaches. Implement security features zero trust architecture, multi-factor authentication (MFA) and automatic timeouts.
Continuous HIPAA Training: Employees must know exactly what constitutes a HIPAA violation. Comprehensive and ongoing training can ensure they don’t make any slip-ups.

Get Ahead of HIPAA Violations With the Right GRC Framework

HIPAA violations aren’t a given. Though they’re a risk all healthcare organizations face, there are steps covered entities can take to reduce the chances that they’ll face a HIPAA penalties. The key? A robust governance, risk and compliance (GRC) framework.

Organizations of all sizes can benefit from good governance and an effective board portal, but it’s especially critical for healthcare organizations handling sensitive PHI. It’s important to remember that avoiding HIPAA penalties isn’t just about avoiding fines; it’s about protecting patient rights and privacy. Governance is the best tool healthcare organizations have to do just that.

Learn more about how healthcare organizations can improve their data management, protect patient rights and avoid HIPAA penalties by downloading Curing the Data Deficit: How to Heal Governance Problems in Healthcare from Diligent.