What are the penalties for not being HIPAA compliant?

The United States Department of Health and Human Services (HHS) may impose civil and criminal penalties for non-compliance. There are 4 tiers of civil penalties and we will break down what the email breach penalties are.

Tier 1
If you had absolutely no idea that you needed HIPAA compliant email. This is very hard to prove but there are some folks out there that think sending PHI over a non-compliant email service is OK. HHS may give you a warning if you are lucky. Otherwise, you will be fined $100 per email that contains PHI or a maximum of $25,000 per year. At its discretion, it may increase the maximum fine up to $50,000 per year. It's typically a slap on the hand and you will most likely not be charged with criminal penalties.

Tier 2
If you are aware that you need HIPAA compliant email, but yet you still continue to use non-compliant email to send PHI. HHS will fine you $1,000 per email containing PHI or a maximum of $10,000 per year and may refer your case to the Department of Justice (DOJ) where they can press charges against you for wrongful disclosure of individual identifiable health information. In addition to civil penalties, DOJ will fine you up to $50,000 and up to 1 year in prison.

Tier 3
If you use a HIPAA Compliant Email service but you do not follow its policies and best practice procedures, this is considered willful neglect. Meaning you understand what you are supposed to do per the instructions of the compliant email service provider, but yet you choose not to do it. An example of this would be forwarding emails to a non-compliant email service or vice versa. Or refusal to use supported email software or devices to make your email communications secure and compliant. HHS will fine you $10,000 per email containing PHI or a maximum of $100,000 per year only if you are willing to correct your situation and may refer your case to the Department of Justice (DOJ) where they can press charges against you for wrongful disclosure of individual identifiable health information. In addition to civil penalties, DOJ will fine you up to $100,000 and up to 5 years in prison.

Tier 4
Identical to tier 3 except you refuse to correct your situation even after being warned by HHS. This is the most severe case where you are willfully neglecting HIPAA compliant requirements. HHS will fine you $50,000 per email containing PHI or a maximum of $1.5 million per year and may refer your case to the Department of Justice (DOJ) where they can press charges against you for wrongful disclosure of individual identifiable health information. In addition to civil penalties, DOJ will fine you up to $250,000 and up to 10 years in prison.