Why Does It Matter?

Complying with HIPAA is essentially a risk mitigation strategy as non-compliance can result in; civil and/or criminal liability for the employer if a breach occurs, remedial penalties associated with random HHS audits, remedial penalties due to employee complaints, and bad publicity/ damaged business relationships.



The Department of Health and Human Services Office for Civil Rights (OCR) conducts random HIPAA audits of covered entities and business associates. Phase one of these audits began in 2011 an acted as a pilot program for the development of enhanced audit protocols. These protocols were implemented during phase two of the audit program which began in 2016.

See a sample of the 2016 Random HIPAA Audit Protocol Here.

Civil Penalties

the Office of Civil Rights (OCR) finalizes resolution agreements with various covered entities for breaches arising from failure to meet basic HIPAA requirements.

  • In one instance, a covered entity failed to conduct a risk analysis and implement safeguards to protect ePHI, and a thumb drive containing ePHI was stolen. The settlement in this case was for $2.2 million.
  • In another instance, OCR reached a $475,000 settlement with a covered entity for failing to report a breach in a timely manner.
  • In a third instance, OCR reached a $5.5 million settlement with a covered entity for the entity’s failure to implement user access and audit controls, resulting in the inappropriate access of ePHI by unauthorized employees.

Find a run-down of all of OCR's enforcement actions here.

The civil penalty schedule is as follows: