Improper access controls can lead to Office for Civil Rights enforcement under the HIPAA Security Rule and the HIPAA Privacy Rule, with civil monetary penalties that can reach $73,011 per violation and up to $2,190,294 for identical violations in a calendar year under the current inflation adjusted schedule, and criminal penalties for certain knowing wrongful conduct that can reach $250,000 in fines and up to 10 years imprisonment. Civil enforcement is directed at HIPAA Covered Entities and Business Associates, and it can include resolution agreements, corrective action obligations, and civil monetary penalties. Criminal enforcement applies to individuals and organizations in defined circumstances and is pursued by the Department of Justice following referral or investigation.
Improper access controls commonly involve failures to restrict access to electronic protected health information to authorized users and permitted functions. Examples include shared credentials, lack of unique user identification, weak authentication, excessive role permissions, absence of procedures for emergency access, failure to implement automatic logoff where appropriate, and insufficient review of system activity when log data exists. When access is not limited to the workforce members who need access to perform their duties, the conduct can also support an impermissible use or disclosure analysis under the HIPAA Privacy Rule and a HIPAA Minimum Necessary Rule analysis when workforce access exceeds job requirements.
Civil monetary penalties are tiered based on culpability and remediation posture, and the amounts are assessed per violation with annual limits that depend on how the violations are categorized. The Office for Civil Rights also uses resolution agreements and corrective action plans, which can require written policies and procedures, workforce training, risk analysis and risk management activities, and ongoing reporting to the government. The penalty exposure can increase when deficient access controls contribute to a reportable breach and the organization fails to provide required notifications under the HIPAA Breach Notification Rule, since notification failures can be charged as separate violations.
Criminal penalties apply when a person knowingly obtains or discloses individually identifiable health information in violation of the HIPAA Privacy Rule, with escalation based on the nature of the conduct. A basic offense can be punished by up to $50,000 and up to one year imprisonment, conduct under false pretenses can be punished by up to $100,000 and up to five years imprisonment, and conduct with intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm can be punished by up to $250,000 and up to 10 years imprisonment. These criminal penalties are separate from civil enforcement actions and do not require a civil monetary penalty to occur.