A HIPAA violation is a failure to comply with any aspect of HIPAA laws and regulations detailed in 45 CFR Parts 160, 162, and 164. It occurs when a covered entity or business associate violates one or more aspects of the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule. The Department of Health and Human Services Office for Civil Rights (OCR) is responsible for the text of all published HIPAA regulations. There are 115 pages of regulations related to HIPAA standards. Unlike civil penalties, the Department of Justice handles criminal violations instead of OCR. They may also result in jail time. A judge decides the HIPAA criminal penalties based on the situation of every case. Each of the three tiers builds off of one another. This means that everything involved in tier one is also involved in tiers two and three. And everything involved in tier two is also involved in tier three. If this sounds confusing, that's ok. Here is a visual to help explain HIPAA criminal penalties.

1. First tier criminal penalties for HIPAA violations involve
the wrongful disclosure of individually identifiable
health information.
Up to $100,000 in fines
Third tier criminal penalties for HIPAA violations
involve the wrongful disclosure of individually
identifiable health information committed under false
pretenses with the intent to sell, transfer, or use data
for commercial advantage, personal gain, or
malicious harm.
Up to $250,000 in fines
HIPAA Criminal Penalties
Up to 5 years in prison
Tier 3 Violation
Up to 10 years in prison
Second tier criminal penalties for HIPAA violations
involve the wrongful disclosure of individually
identifiable health information committed under false
pretenses.
Up to $50,000 in fines
Up to 1 year in prison
Tier 2 Violation
Tier 1 Violation