top of page

Understanding HIPAA Breach Fines

Updated: Apr 25, 2021

HIPAA Breach Fines

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, is a set of federal rules and regulations that apply to healthcare organizations and healthcare employees. Under HIPAA, healthcare organizations are required to implement policies and procedures that protect patient privacy and build safeguards to ensure the privacy, integrity, and accessibility of protected health information (PHI). HIPAA rules put restrictions on the approved uses of health data, as well as who can be provided with health information. It also grants patients the right to obtain copies of their own health data.

Under HIPAA, there are two types of organizations that have responsibility to follow its guidelines:

Covered entities- Are typically healthcare providers, health plans, and healthcare clearinghouses

Business Associates- Are suppliers and vendors that need access to PHI to perform their contracted duties

As is the case with other federal laws, there are penalties for HIPAA non-compliance. The fines for HIPAA violations can be significant, especially when it is rules that HIPAA has been “knowingly” violated, that is, when it is determined that HIPAA Rules have been willfully and intentionally violated.

What is Considered a HIPAA Violation?

HIPAA violations occur when the acquisition, access, use, or disclosure of unsecured PHI, occurs in a way that presents a significant risk of financial, reputational, or other damage to the impacted individual(s).

HIPAA Breach Fines- The Civil Penalties

The civil penalties associated with a HIPAA breach are determined according to a tiered penalty structure. These tiers focus on those individuals that were neglectful, or simply unaware of the issue. The tiered penalty structure is broken out as follows:

The possible penalties for each tier now look like this:

  • Tier 1: $100-$50,000 per violation, capped at $25,000 per year the issue persisted

  • Tier 2: $1,000-$50,000 per violation, capped at $100,000 per year the issue persisted

  • Tier 3: $10,000-$50,000 per violation, capped at $250,000 per year the issue persisted

  • Tier 4: $50,000 per violation, capped at $1.5 million per year the issue persisted

2018 was a record year for HIPAA enforcements, as $28.7 million in fines was collected from HIPAA-covered entities and their business associates. The previous record of $23.5 million, was set in 2016.

Criminal Penalties for HIPAA Violations

The criminal punishments for HIPAA violations can be harsh. The minimum fine for willful violations of HIPAA Rules is $50,000. The maximum criminal penalty for a HIPAA violation by an individual is $250,000. There may also be a requirement of restitution to be paid to the victims. Along with the financial penalty, there may be a jail term for a criminal violation of HIPAA Rules.

Preventing Employee Error from Causing a HIPAA Data Breach

While HIPAA breach penalties can be severe, the encouraging news for healthcare practices is that more than half of healthcare data breaches are caused by inadvertent actions of employees. Given this, there is an opportunity for practices to dramatically reduce their risk of violation through employee training and awareness that creates a persistent and widespread “culture of security.”

The HIPAA legislation phrases training requirements in such a way that it leaves it up to covered entities and their business associates to determine the best approach for providing training to employees. The simple requirement is that adequate training is provided so that employees learn how to prevent data breaches and gain an understanding of patient rights. HIPAA training should be tailored to the job role of individual employees in order to maximizes program efficiency and increase the opportunity for knowledge retention.

eLearning for HIPAA Compliance Training

Unfortunately, traditional classroom training sessions for HIPAA compliance training can be extremely time-consuming and offer very limited flexibility to your busy employees. Even worse, classroom-based training can be extremely expensive.

eLearning for HIPAA compliance, on the other hand, is much more flexible for your staff, offering any time, anywhere learning. And with eLearning, your training costs decrease by an average of nearly 70% when compared to classroom-based training.

If your organization is considering eLearning for HIPAA compliance training, here are some of the detailed benefits you can expect.


With eLearning, you reduce or even eliminate many of the expenses associated with classroom-based training, such as travel, instructor fees, classroom/ venue fees, catering, and the distribution of printed learning materials. And because eLearning activities can be conducted during worker breaks or after hours, there are no lost productivity costs.


Unlike classroom-based training, eLearning allows your learners (as well as your administrators and instructors) to accomplish their work at any time and from any location that is convenient for them. All that is required is an Internet connection. This convenience can help to create a more comfortable and productive learning experience.


One of the challenges of classroom-based training in the need of all students to be able to keep up to the learning pace set by the instructor. eLearning eliminates this by allowing your users to learn at their own pace and offers them the opportunity to revisit challenging or important content multiple times before moving on to the next section.

Collaboration and Communication

Many eLearning platforms now offer tools that enable online communication among students and between students and instructors. These tools help to create a more supportive and collaborative learning environment and can streamline the feedback process.


eLearning provides for easy and immediate data collection regarding user engagement and success. The analysis of this data is extremely valuable as you look to revise an improve your HIPAA compliance training program over time.

LMS Portals for HIPAA Compliance Training

To train employees thoroughly and avoid HIPAA breach fines, many healthcare organizations look to LMS Portals are run their own branded eLearning and HIPAA training portal. Our system allows our clients to easily develop and deliver HIPAA compliance training courses while offering powerful support tools for online communications, knowledge management, program analysis, and more.

Contact us to discuss running your HIPAA Compliance Training on your own

branded portal.

30 views0 comments


bottom of page