The United States Department of Health and Human Services (HHS) may impose civil and criminal penalties for non-compliance.
There are 4 tiers of civil penalties. We will break down what the email breach penalties are for each tier.
Tier 1
Only applies if you had absolutely no idea that you needed HIPAA compliant email. This is extremely hard to prove, but there are some folks out there that think sending PHI over a non-compliant email service is okay. HHS may give you a warning if you are lucky. More likely, you will be fined $100 per email that contains PHI or a maximum of $25,000 per year. At the discretion of HHS, this may increase up to $50,000 per year. In the rare event that an entity can prove total ignorance of HIPAA compliant email, you may end up with a smaller fine and a slap on the hand. You will most likely not be charged with criminal penalties, but that is still a risk. If you're reading this, you're not really capable of a Tier 1 violation. Yours would be more severe.
Tier 2
If you are aware that you need HIPAA compliant email, but you continued to use non-compliant email to send PHI, HHS will fine you $1,000 per email containing PHI or a maximum of $10,000 per year and may refer your case to the Department of Justice (DOJ) where they can press charges against you for wrongful disclosure of individual identifiable health information. In addition to civil penalties, DOJ will fine you up to $50,000 and up to 1 year in prison.
Tier 3
If you use a HIPAA Compliant Email service but you do not follow its policies and best practice procedures, this is considered willful neglect. Meaning you understand what you are supposed to do per the instructions of the compliant email service provider, but you choose not to follow best practice guidelines. An example of this would be forwarding emails to a non-compliant email service or vice versa. Another example might be the refusal to use supported email software or devices to keep your email communications secure and compliant. HHS will fine you $10,000 per email containing PHI or a maximum of $100,000 per year only if you are willing to correct your situation, and may refer your case to the Department of Justice (DOJ) where they can press charges against you for wrongful disclosure of individual identifiable health information. In addition to civil penalties, DOJ will fine you up to $100,000 and up to 5 years in prison.
Tier 4
Identical to tier 3 except you refuse to correct your situation even after being warned by HHS. This is the most severe case where you are willfully neglecting HIPAA compliant requirements. HHS will fine you $50,000 per email containing PHI or a maximum of $1.5 million per year and may refer your case to the Department of Justice (DOJ) where they can press charges against you for wrongful disclosure of individual identifiable health information. In addition to civil penalties, DOJ will fine you up to $250,000 and up to 10 years in prison.