How HIPAA Penalties are Calculated
HIPAA penalties (enforced by the HHS Office for Civil Rights) follow this structure:
- Per violation: Each instance of noncompliance with a specific HIPAA requirement (Privacy, Security, or Breach Notification Rule) counts as a separate violation.
- Per day: If a violation persists (e.g., failure to have required security safeguards, ongoing improper disclosure practices, or uncorrected risks), each day of continued noncompliance can be counted as a separate violation. This allows penalties to accumulate quickly for prolonged issues.
- Per affected individual: For violations like impermissible uses or disclosures of protected health information (PHI), OCR can treat each individual whose PHI is involved as a separate violation.
- Annual cap per identical provision: There is a calendar-year limit on the total penalty for all violations of the same requirement or prohibition. This cap applies separately to each distinct HIPAA provision violated.
When an investigation is opened, the OCR reviews ALL compliance documentation, not just the complaint or cause.
A $145 fine can easily become over a million dollar penalty
| Compliant | HIPAA Violation | Fine | #Days | Statutory Max/Yr | Total Amt of Fine Levied |
| Complaint filed | Patient denied access to Designated Record Set | $145 | 300 | $43,500 | $43,500 |
| Found by OCR | No HIPAA risk analysis within 4 years | $145 | 4 Years | $52,925 | $211,700 |
| Found by OCR | HIPAA training documentation was not available | $145 | 4 Years | $52,925 | $211,700 |
| Found by OCR | Incomplete Administrative, Physical, and Technical Safeguard policies and procedures | $145 | 6 Years | $52,925 | $317,550 |
| Found by OCR | Inadequate employee training on policies and procedures | $145 | 6 Years | $52,925 | $317,550 |
| Found by OCR | Inadequate technical safeguards to protect ePHI. | $145 | 6 Years | $52,925 | $317,550 |
| Total Penalty | $1,419,450 |
Aris protects their clients through Partnership, Education, and Support.
Pages: 1 2