In incidents of non-compliance, an organization must reach a resolution agreement with the U. S. Department of Health and Human Services (HHS). This is a signed contract in which an organization agrees to perform certain obligations, such as staff training or reporting requirements, generally for three years. During that period, HHS monitors compliance. A resolution agreement would likely include a penalty payment. According to the HHS website, these agreements are reserved for investigations with more serious outcomes. Absent a resolution, civil money penalties may be imposed as a result of lawsuits.  In a larger number of cases, a Corrective Action Plan is imposed and monitored for a period of  years.

Breach Penalties

Penalties for HIPAA violations may range from $100 to $50,000 per violation of one individual’s Protected Health Information (PHI). The cap for a calendar year is $1.5 million.

Here is a link to the U.S. Office for Civil Rights (OCR) web page where you will find organizations currently under investigation for HIPAA violations.

Here is a link to an OCR web page listing recent HIPAA settlements with fines.