Initially it was unclear whether the criminal penalties for breaches of HIPAA were applicable to persons other than covered entities and business associates. In fact, the Department of Justice adopted the position that only covered entities and directors, officers and employees are subject to prosecution. Under the HITECH Act, Congress dealt with this ambiguity by stating that criminal penalties are applicable to persons other than covered entities.
The HITECH Act added that civil money penalties could be imposed for willful neglect along with knowing violations of HIPAA. The HITECH Act also implemented tiered civil penalties the severity of which depended on the nature of the violation. Violations due to willful neglect are now subject to civil money penalties and the Secretary of the Department of Health and Human Resources will be required to investigate such violations based on a complaint starting in 2011. There are four tiers of violations under the HITECH Act amendments.
| Tier | Nature of Violation | Range of Penalties |
| A | Breach of HIPAA that is not known by the covered entity or could not have been known by exercising reasonable diligence | Each violation = $100
Total amount of $25,000 for all violations of an identical requirement or prohibition in a calendar year
|
| B | Breach of HIPAA due to reasonable cause and not due to willful neglect | Each violation= $1,000
Total amount of $100,000 for all violations of an identical requirement or prohibition in a calendar year
|
| C | Breach of HIPAA due to willful neglect which is corrected during the 30-day period beginning on the first date the person liable for the penalty or damages knew | Each violation= $10,000
Total amount of $250,000 for all violations of an identical requirement or prohibition in a calendar year
|
| D | Breach of HIPAA due to willful neglect which is not corrected during the 30-day period beginning on the first date the person liable for the penalty or damages knew | Each violation= $50,000
Total amount of $1,500,000 for all violations of an identical requirement or prohibition in a calendar year |
All of the penalties imposed on any violator for any tier shall be limited to $1,500,000.