Frequently Asked Questions

General Information For Workforce Members HIPAA Privacy and Information Security Enforcement What penalties can UCLA Health System receive from the OCR for being out of compliance with the Privacy and Security regulations? Violations occurred without the knowledge of covered entity and by exercising reasonable diligence would not have known it violated the HIPAA Privacy Rule $100-$50,000 for each violation, with a maximum for individual violations in the same year of $1,500,000 x each violation. Violations due to reasonable cause $1,000 to $50,000 for each violation, with a maximum for individual violations in the same year of $1,500,000 x each violation. Violations due to willful neglect but are corrected within 30 days $10,000 to $50,000 for each violation, with a maximum for individual violations in the same year of $1,500,000 x each violation. Violations due to willful neglect and are not corrected within 30 days $50,000 for each violation, with a maximum for individual violations in the same year of $1,500,000 x each violation. Criminal penalties for a person who knowingly violates HIPAA are as follows: $50,000 and a one year prison term $100,000 and up to 5 years in prison for wrongful conduct involving false pretenses $250,000 and up to 10 years in prison for wrongful conduct with intent to sell, transfer, or use individually identified health information for personal gain or malicious harm. 2

General Information For Workforce Members
HIPAA Privacy and Information Security Enforcement

Violations occurred without the knowledge of covered entity and by exercising reasonable diligence would not have known it violated the HIPAA Privacy Rule $100-$50,000 for each violation, with a maximum for individual violations in the same year of $1,500,000 x each violation.
Violations due to reasonable cause $1,000 to $50,000 for each violation, with a maximum for individual violations in the same year of $1,500,000 x each violation.
Violations due to willful neglect but are corrected within 30 days $10,000 to $50,000 for each violation, with a maximum for individual violations in the same year of $1,500,000 x each violation.
Violations due to willful neglect and are not corrected within 30 days $50,000 for each violation, with a maximum for individual violations in the same year of $1,500,000 x each violation.

Criminal penalties for a person who knowingly violates HIPAA are as follows:

$50,000 and a one year prison term
$100,000 and up to 5 years in prison for wrongful conduct involving false pretenses
$250,000 and up to 10 years in prison for wrongful conduct with intent to sell, transfer, or

use individually identified health information for personal gain or malicious harm.