University of California, Riverside

UCR School of Medicine Compliance



Penalties Under HIPAA


Penalties Under HIPAA

This page contains the information on applicable federal and California state laws regarding violations of HIPAA.

42USC1320d-5 General Penalty for Failure to Comply with Requirements and Standards

  1. General Penalty
    1. In general
      Except as provided in subsection (b) of this section, the Secretary shall impose on any person who violates a provision of this part—
      1. Except as provided in subsection (b) of this section, the Secretary shall impose on any person who violates a provision of this part—
        (A) in the case of a violation of such provision in which it is established that the person did not know (and by exercising reasonable diligence would not have known) that such person violated such provision, a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(A) but not to exceed the amount described in paragraph (3)(D);
      2. in the case of a violation of such provision in which it is established that the violation was due to reasonable cause and not to willful neglect, a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(B) but not to exceed the amount described in paragraph (3)(D); and
      3. in the case of a violation of such provision in which it is established that the violation was due to willful neglect—
        1. if the violation is corrected as described in subsection (b)(3)(A), [1] a penalty in an amount that is at least the amount described in paragraph (3)(C) but not to exceed the amount described in paragraph (3)(D); and
        2. if the violation is not corrected as described in such subsection, a penalty in an amount that is at least the amount described in paragraph (3)(D).
      In determining the amount of a penalty under this section for a violation, the Secretary shall base such determination on the nature and extent of the violation and the nature and extent of the harm resulting from such violation.
    2. Procedures
      The provisions of section 1320a–7a of this title (other than subsections (a) and (b) and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subsection in the same manner as such provisions apply to the imposition of a penalty under such section 1320a–7a of this title.
    3. Tiers of penalties described
      For purposes of paragraph (1), with respect to a violation by a person of a provision of this part—
      1. the amount described in this subparagraph is $100 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $25,000;
      2. the amount described in this subparagraph is $1,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $100,000;
      3. the amount described in this subparagraph is $10,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $250,000; and
      4. the amount described in this subparagraph is $50,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.
  2. Limitations
    1. Offenses otherwise punishable
      No penalty may be imposed under subsection (a) and no damages obtained under subsection (d) with respect to an act if a penalty has been imposed under section 1320d–6 of this title with respect to such act.
    2. Failures due to reasonable cause
      1. In general
        Except as provided in subparagraph (B) or subsection (a)(1)(C), no penalty may be imposed under subsection (a) and no damages obtained under subsection (d) if the failure to comply is corrected during the 30-day period beginning on the first date the person liable for the penalty or damages knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.
      2. Extension of period
        1. No penalty - with respect to the imposition of a penalty by the Secretary under subsection (a), the period referred to in subparagraph (A) may be extended as determined appropriate by the Secretary based on the nature and extent of the failure to comply.
        2. Assistance - If the Secretary determines that a person failed to comply because the person was unable to comply, the Secretary may provide technical assistance to the person during the period described in subparagraph (A). Such assistance shall be provided in any manner determined appropriate by the Secretary.
    3. Reduction
      In the case of a failure to comply which is due to reasonable cause and not to willful neglect, any penalty under subsection (a) and any damages under subsection (d) that is [2] not entirely waived under paragraph (3) [3] may be waived to the extent that the payment of such penalty [4] would be excessive relative to the compliance failure involved.

42USC1320d-6 Wrongful Disclosure of Individually Identifiable Health Information

  1. Offense
    A person who knowingly and in violation of this part-
    1. uses or causes to be used a unique health identifier;
      (2) obtains individually identifiable health information relating to an individual; or
      (3) discloses individually identifiable health information to another person,
      shall be punished as provided in subsection (b).
  2. Penalties
    A person described in subsection (a) shall-
    1. be fined not more than $50,000, imprisoned not more than 1 year, or both;
    2. if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
    3. if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

California State Laws – SB 541 and AB 211

In 2008, Governor Arnold Schwarzenegger signed legislation, SB 541 and AB 211, to improve patient privacy laws and to address breaches of confidential information.

SB 541 sets health facility fines for privacy breaches and increases the fines for serious medical errors in hospitals. The new law ensured that health care providers face real consequences when they fail to protect patients. For facilities, fines for disclosing private medical information range up to $250,000 per reported event.

SB 541 provides for new 5-day reporting requirement – providers must report incidents of unauthorized access, use, or disclosure of patient's medical information within 5 days of detection of the breach to the CA Department of Public Health (CDPH), and the affected patient or legal representative.

"Unauthorized" access means:

    • Inappropriate access, review, or viewing
    • Without a direct need for medical diagnosis, treatment, or other lawful use (as permitted by the California Medical Information Act (CMIA) or other laws governing access, use, or disclosure of medical information).

Failure to report an unauthorized access, use, or disclosure within 5 days to CDPH may result in a fine of $100 per day not to exceed $250,000 per reported event to the institution.

SB 541 - If licensee receives a notice of deficiency constituting an immediate jeopardy to the health or safety of a patient , the licensee is required to submit a plan of correction and failure to do so may subject the licensee to an administrative penalty up to $100,000 for incidents occurring on and after January 1, 2009.

"Immediate jeopardy" is defined as a situation in which the licensee's noncompliance with one or more requirements of licensure has caused, or is likely to cause, serious injury or death to the patient.

Failure to prevent unlawful/unauthorized access/use/disclosure may result in administrative penalties up to $25,000 per patient, and up to $17,500 per subsequent violation

AB 211 requires health providers to prevent unlawful access, use or disclosure of patients' medical information and hold health care providers and other individuals accountable for ensuring the privacy of patients.

AB 211 creates a new state agency – the Office of Health Information Integrity (OHII) to enforce the California Medical Information Act (CMIA) and to levy penalties for unauthorized access/use/disclosure of patient medical information by individuals.

AB 211 authorizes fines and penalties against any individual or provider of health care that negligently discloses or knowingly and willfully obtains, discloses, or uses medical information in violation of state/federal laws.

Fines range from $2,500 - $25,000 per violation to $250,000 maximum per violation. It is a misdemeanor if patient suffers economic loss or personal injury and potential civil action brought by patient for actual damages and $1,000.

More Information 

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
Tel: (951) 827-1012

Department Information

UCR School of Medicine Compliance
900 University Avenue
SOM Education Building
Riverside, CA 92521

Tel: (951) 827-3257
Fax: (951) 263-7271
E-mail: paul.hackman@ucr.edu

Related Links

Footer