HIPAA Sanction Policies: What Employees and Employers Need to Know

When it comes to HIPAA law, the sanction policy is one of the most important factors employees must be aware of. HIPAA does not mandate exactly how employers must discipline their employees in the workplace. So, we provide our suggested guidelines for HIPAA sanction policies.

In addition to the employer imposed HIPAA sanctions, there are civil and criminal penalties associated with violating HIPAA law.

Those who violate HIPAA may face fines from $100-250,000 per offense (with an annual cap at $1.5 million) and/or a 1-10 year prison sentence. Employers may find it difficult to enforce sanctions on employees who break the rules. However, it is important to do so consistently for the wellbeing of the company.

The HIPAA Sanction corresponds with the type of violation, and the following factors should be taken into consideration when classifying the level of the violation:

  • Was the PHI disclosure intentional?
  • Was the violation a single incident or a pattern of behavior?
  • Did the offender simply expose information? Or, did they use someone’s PHI for a specific purpose, like personal monetary gain?

There are three levels of infractions, all with a recommended disciplinary HIPAA sanction:

1. First simple infraction in three years

Accidental exposures of PHI comprise the majority of these infractions. This includes employees sending PHI via unencrypted email or failing to log out of a database, therefore leaving PHI vulnerable. These offenses may seem small, but they could easily cause a breach.

Recommended Sanction Policies for Category One HIPAA Violation

For this type of violation, we recommend writing a letter of reprimand to the employee. The letter should notify them of their wrongdoing and warn them of punishments for further infractions. It should be stored in their file for 6 years.

2. Second simple infraction or first serious infraction in three years

If an employee makes the same type of mistake described above again after receiving a warning, their infraction is labeled category two. This also includes first-time serious offenses, like logging in to client/patient information of a neighbor or a relative.  

Recommended Sanction Policies for Category Two HIPAA Violation

If one of your employees commits a level two infraction, we recommend a written letter of reprimand and one week’s suspension without pay.

The first and second kinds of infractions typically do not receive any publicity, but that does not make them any less important. In fact, business owners are more likely to have to deal with low-level offenses. These types of HIPAA violations may not seem as serious, but they have the potential to cause just as much harm as level three HIPAA violations.

3. Third simple infraction or second serious infraction in 3 years

This type of offense includes the following: repeating low-level mistakes for the third time in three years, repeat mid-level infractions, and very serious infractions intended to cause harm to many people. It is important to note that these violations do not necessarily happen in sequential order. An employee may commit an offense so serious that it is automatically classified as level three, even if it is their first infraction.

Recommended Sanction Policies for Category Three HIPAA Violation

We advise employers to dismiss employees who commit this type of infraction. If the case is serious enough, the violation may need to be reported to state or federal authorities. Depending on the severity of the case, they may prosecute the offender.

The following cases are three real-life examples of level three HIPAA violations from earlier this year:

  • A federal grand jury indicted Linda Sue Kalina, a former patient information coordinator at the University of Pittsburgh Medical Center, on 6 counts of wrongfully obtaining and disclosing PHI. Kalina used her position to gather the PHI of 111 patients with the intent to cause harm. She could face 11 years in prison and/or a $350,000 fine.1

  • The state of New York suspended a former nurse, Maria Smith-Lightfoot, for taking a list of patients from her previous job to her new workplace. This information included patients’ names, dates of birth, addresses, and diagnoses.2 Both Smith-Lightfoot and Greater Rochester Neurology (her new workplace) received punishments. GRN paid a $15,000 fine and trained all employees on HIPAA rules and regulations. Smith-Lightfoot was suspended from working as a nurse for one year and given a three year probation period following her suspension.

  • Additionally, Rita Luthra, a gynecologist in Springfield Massachusetts, gave a pharmaceutical sales representative access to her patients’ records and lied about her actions when HHS investigated her practice. The pharmaceutical company bribed Luthra to work with insurers to cover their product and to prescribe their name-brand drug to her patients.3  As a result, Luthra faces multiple penalties. First, she could go to prison for one year and/or pay a $50,000 fine for the original crime. Additionally, she could receive an additional five years in prison and/or a $250,000 fine for obstructing the HHS investigation.

Needless to say, there are serious penalties for violating HIPAA. Employers must protect their employees by providing them with the training they need to keep PHI safe.


  1. https://healthitsecurity.com/news
  2. https://healthitsecurity.com/news
  3. https://www.justice.gov

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)