The Math Behind a HIPAA Fine (And Why It Should Change How You Think About Security)

A HIPAA violation fine starts at $100 per record.

If a breach exposes 500 patient records, that's $50,000 minimum. That's before attorneys, notification costs, or the OCR investigation that follows every breach affecting more than 500 patients.

The math isn't complicated. But most small practices haven't done it.

How the Penalties Actually Work

HIPAA civil penalties are tiered by culpability:

• ›Did not know: $100–$50,000 per violation, up to $1.9M per year
• ›Reasonable cause: $1,000–$50,000 per violation, up to $1.9M per year
• ›Willful neglect, corrected: $10,000–$50,000 per violation, up to $1.9M per year
• ›Willful neglect, not corrected: $50,000 per violation, up to $1.9M per year

"Did not know" sounds like a defense. It isn't. The standard is whether you *should have known* — and regulators interpret that broadly. A vulnerability that any automated scanner would find in thirty seconds is something you should have known about.

The Wall of Shame

Every breach affecting 500 or more patients triggers mandatory public reporting to the HHS Office for Civil Rights. OCR publishes these on what the industry calls the "Wall of Shame" — a public database of healthcare organizations that have experienced breaches.

It's searchable. Patients search it. Insurers search it. Attorneys search it.

The Cost Comparison

A security audit from near0 costs less than one hour of an attorney's time. It finds the open ports, the expired certificates, the missing email authentication records, and the configuration errors that show up in breach reports.

The question isn't whether you can afford to fix these things. It's whether you can afford not to.

near0 runs background checks, business verification, and site security audits. One-time payment, no account required.