If there’s a case of noncompliance for a covered entity, the OCR will try to resolve the issue by obtaining voluntary compliance, corrective action and/or resolution agreement. If the covered entity doesn’t resolve the matter then the OCR may impose civil money penalties (CMPs). If there’s a complaint that could be a violation of the criminal provision of HIPAA, then the OCR may refer the complaint to the Department of Justice (DOJ) to be handled based on severity.

Given a covered entity is facing a HIPAA breach, their name is permanently listed on the OCR’s Breach Portal, or the Wall of Shame, showing the offense, date and number of people affected. Furthermore, fines for breaches range drastically depending on severity, how long violation persisted, number of people affected, and how willing the organization was willing to help. They range from $100 to $50,000 per violation/record with a maximum penalty of $1.5 million per year for each violation, where these violations could have occurred over multiple years.

Several consequences for a person within the covered entity caught unlawfully disclosing or accessing of medical records, which are HIPAA violations, might include job termination, possibility of license forfeiture, fines and/or in most extreme cases, jail time.