HIPAA Requirements & Fines

What you may be liable for under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)


HIPAA compliance requires strict adherence to laws governing patient information. If your organization is a covered entity or business associate who handles patient data, you are required by law to maintain adequate protections for PHI/ePHI as dictated by the HIPAA/HITECH acts.

Should you knowingly or unknowingly fail to maintain these standards, your organization may be responsible for hefty fines, a loss of reputation and potentially criminal penalties resulting from negligence.

Examples of penalties are listed below, as well as described in the graphic from HIPAA Journal:

  • Committing an Unknown Violation: Fines from $100 to $50,000 per violation if the provider exercised due diligence and did not know or would not have known of the violation.
  • Committing a Violation with Reasonable Cause: Fines from $1,000 to $50,000 per violation if the provider knew, or should have known with reasonable due diligence about the violation.
  • Committing a Violation by Willful Neglect: Fines from $10,000 to $50,000 per violation if the provider acted with willful neglect and corrected the issue within 30 days.
  • Uncorrected Willful Neglect Violation: Fines from $50,000 to $1.5 million if the provider acted with willful neglect and did not correct the violation in 30 days.


It’s imperative that those in, and affiliated with, the healthcare industry take protecting patient data seriously. Due care and due diligence need to be given to patient health information as outlined in the HIPAA/HITECH Acts. Failure to do so is at best unethical, at worst disastrous.


Contact us at 585-582-1600 if you require assistance in meeting the above guidelines for data protection and monitoring of your IT environment.