HIPAA Penalties in 2026: Tiers, Maximums & Recent Fines
By ComplyCreate Editorial Team · Published Apr 24, 2026 · Last reviewed Apr 24, 2026
HIPAA's civil enforcement framework is more powerful today than at any point in the law's history. The combination of HITECH's penalty escalation, the 2013 Omnibus Rule's direct BA liability, and OCR's increasingly aggressive enforcement posture under its Right of Access and general audit programs means that organizations that ignore HIPAA face real financial and reputational consequences.
The Four Civil Penalty Tiers
HIPAA's civil money penalty (CMP) structure, established by HITECH and codified at 45 CFR § 160.404, uses four tiers based on the organization's level of culpability. The amounts below are 2024 inflation-adjusted figures under 45 CFR § 160.522:
| Tier | Culpability Level | Per-Violation Minimum | Per-Violation Maximum | Annual Cap |
|---|---|---|---|---|
| 1 | Unknowing | $137 | $68,928 | $2,067,813 |
| 2 | Reasonable cause | $1,379 | $68,928 | $2,067,813 |
| 3 | Willful neglect — corrected within 30 days | $13,785 | $68,928 | $2,067,813 |
| 4 | Willful neglect — not corrected | $68,928 | $2,067,813 | $2,067,813 |
Understanding the Tiers
Tier 1 — Unknowing: The organization did not know and, by exercising reasonable diligence, could not have known that a violation occurred. This tier recognizes that not all violations stem from negligence — some occur despite good-faith compliance programs. The minimum is $137, but OCR retains discretion to impose higher amounts within the tier range.
Tier 2 — Reasonable cause: The organization knew or, by exercising reasonable diligence, would have known of the violation, but the violation was not due to willful neglect. This tier covers situations where the organization should have caught the violation with adequate compliance procedures but didn't.
Tier 3 — Willful neglect, corrected: The violation was due to conscious, intentional failure or reckless indifference to the obligation to comply, but was corrected within 30 days of discovery. The higher minimum ($13,785) reflects the seriousness of willful non-compliance, with some credit for quick correction.
Tier 4 — Willful neglect, not corrected: The most serious tier: willful neglect that was not corrected within 30 days. The minimum and maximum both equal the annual cap, meaning OCR has maximum discretion to impose penalties as high as the statutory limit. This tier is reserved for the most egregious violations — and OCR has imposed multi-million-dollar penalties here.
How OCR Counts Violations
Each individual patient whose PHI was improperly disclosed can constitute a separate violation. A breach affecting 10,000 patients could be counted as 10,000 violations — each subject to its own per-violation penalty amount. In practice, OCR often negotiates resolution agreements that result in a lump-sum settlement rather than calculating per-violation amounts in full, but the theoretical exposure is enormous for large breaches.
Criminal Penalties
Under 42 U.S.C. § 1320d-6, criminal penalties apply to any person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA. Three criminal penalty tiers apply:
- Basic offense: Up to $50,000 fine and 1 year imprisonment
- False pretenses: Up to $100,000 fine and 5 years imprisonment (when the violation is committed under false pretenses)
- Intent to sell or misuse: Up to $250,000 fine and 10 years imprisonment (when the violation involves intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm)
Criminal cases are referred to the Department of Justice for prosecution. OCR itself only has civil enforcement authority. Most criminal prosecutions involve employees who access patient records without authorization — such as healthcare workers looking up records of celebrities or ex-partners — or individuals who sell patient data for fraud purposes.
The OCR Enforcement Process
Step 1: Complaint or Audit Trigger
OCR investigations begin either from a complaint filed by an individual (patient, employee, or other party) or through OCR's proactive audit program. All breach reports affecting 500 or more individuals trigger an automatic OCR review. Organizations should assume that any large breach will result in an OCR investigation.
Step 2: Initial Review and Technical Assistance
OCR first reviews whether the complaint is within its jurisdiction and whether it states a viable claim. If so, OCR notifies the covered entity or BA and requests documentation. In many cases — particularly where the violation is minor or the organization cooperates promptly — OCR resolves the matter through informal resolution, technical assistance, and voluntary corrective action without imposing penalties.
Step 3: Investigation
For more serious matters, OCR conducts a formal investigation. This involves requesting extensive documentation (policies and procedures, training records, risk assessments, BAA inventories, breach investigation documentation) and potentially conducting site visits. The investigation determines the nature and extent of the violation and OCR's assessment of the organization's culpability.
Step 4: Corrective Action Plan or Civil Money Penalties
When violations are found, OCR typically requires a Corrective Action Plan (CAP) — a formal agreement requiring the organization to implement specific remediation steps (revise policies, retrain workforce, update BAAs, conduct risk assessments) over a defined monitoring period of 1–3 years. OCR monitors compliance with the CAP through periodic reporting. For more serious violations, OCR may impose civil money penalties in addition to a CAP, or instead of one, through a formal Notice of Proposed Determination.
Examples of OCR Enforcement Patterns
While we do not name specific settlement parties here, OCR's published resolution agreements reveal consistent enforcement patterns from 2020–2026:
- Right of Access failures: OCR's Right of Access Initiative (launched 2019, ongoing) has imposed penalties on dozens of covered entities for failing to provide patients timely access to their medical records. Fines range from $3,500 to over $200,000.
- Missing BAAs: Several large enforcement actions have included as a central finding the absence of BAAs with vendors who had access to PHI for years. Missing BAAs have resulted in settlements in the hundreds of thousands to millions of dollars.
- Inadequate risk analysis: The Security Rule's risk analysis requirement (§ 164.308(a)(1)) is the most frequently cited violation in OCR enforcement actions. Organizations that could not produce a completed risk assessment — or whose risk assessment was years out of date — have faced significant penalties.
- Ransomware attacks: OCR has consistently pursued enforcement following ransomware incidents, finding that the underlying vulnerability (poor security controls, failure to patch, inadequate encryption) constitutes a Security Rule violation independent of the ransomware event itself.
For current enforcement trends and 2026 OCR patterns, see our OCR enforcement trends article.
Frequently Asked Questions
What are HIPAA civil penalties?
HIPAA civil money penalties (CMPs) are fines that OCR may impose on covered entities and business associates for violations. Structured in four tiers based on culpability, they range from $137 per violation (unknowing) to $2,067,813 as the annual per-violation-category cap (willful neglect not corrected) under 2024 inflation-adjusted amounts per 45 CFR § 160.522.
What is the maximum HIPAA fine?
The annual per-violation-category cap is approximately $2,067,813 (2024 adjusted). However, when a breach involves multiple violation categories simultaneously, the annual cap applies separately to each — meaning total aggregate penalties can exceed this amount. OCR has imposed aggregate fines exceeding $10 million in the most serious multi-category enforcement actions. Criminal penalties are separate and can reach $250,000 plus 10 years imprisonment.
Can HIPAA violations result in criminal charges?
Yes. Under 42 U.S.C. § 1320d-6, criminal penalties range from $50,000/1 year imprisonment (basic offense) to $250,000/10 years imprisonment (wrongful disclosure with intent to sell PHI for personal gain or malicious harm). Criminal cases are referred to the Department of Justice. Most criminal prosecutions involve employees accessing records without authorization or selling patient data.
How does OCR enforce HIPAA?
OCR enforces HIPAA through complaint investigations and proactive compliance audits. The process moves from initial review → informal resolution attempts → formal investigation → corrective action plan → civil money penalties if informal resolution fails. OCR posts large breach reports on its public breach portal, and all breaches affecting 500+ individuals trigger automatic review.
What triggers an OCR investigation?
Investigations are triggered by: (1) individual complaints filed with OCR; (2) breach reports for 500+ person breaches; (3) OCR's proactive audit program; and (4) referrals. The most common complaint triggers are denied records access, unauthorized disclosures, and security incidents. Missing BAAs, outdated risk assessments, and NPP failures are common findings once an investigation begins.