Civil and Criminal penalties for HIPAA violations include:
a. Tier 1: Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation. Civil Penalty: $100-$50,000 for each violation
b. Tier 2: The HIPAA violation had a reasonable cause and was not due to willful neglect. Penalty: $1,000-$50,000 for each violation
c. Tier 3: The HIPAA violation was due to willful neglect but the violation was corrected within the required time period. Penalty: $10,000-$50,000 for each violation
d. Tier 4: The HIPAA violation was due to willful neglect and was not corrected. Penalty: $50,000 or more for each violation
f. Tier 1 Criminal Penalties: Unknowingly or with reasonable cause: Potential jail sentence up to one year
g. Tier 2 Criminal penalties: Under false pretenses: Potential jail sentence up to five years
h. Tier 3 Criminal penalties: For personal gain, malicious reasons, intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines : Potential jail sentence up to ten years
i. All of the above
“Knowingly” Definition: The DOJ interpreted the "knowingly" element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitute an offense. Specific knowledge of an action being in violation of the HIPAA statute is not required.