HIPAA Violation Penalties and Fines: Complete 2026 Guide

HIPAA violation penalties range from $141 to $2,134,831 per violation, depending on the level of negligence involved. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces these penalties through a tiered system that distinguishes between unknowing violations and willful neglect. For organizations handling protected health information, understanding this penalty structure is not academic. It is a financial planning necessity.

This guide covers every penalty tier, recent enforcement trends, criminal penalties, state-level fines, and practical steps to reduce your risk exposure. If you are a SaaS startup still figuring out whether HIPAA applies to you, read our HIPAA compliance guide for SaaS startups first.

The Four-Tier Civil Penalty Structure

The OCR uses four tiers to calculate civil monetary penalties for HIPAA violations. These tiers were established by the HITECH Act in 2009 and are adjusted annually for inflation. The 2026 penalty amounts reflect the latest adjustments published by HHS.

Tier 1: Lack of Knowledge. The covered entity or business associate did not know about the violation and could not have reasonably known. Penalty range: $141 to $71,162 per violation, with an annual cap of $2,134,831.

Tier 2: Reasonable Cause. The violation was due to reasonable cause, not willful neglect. The organization should have known about the issue but did not act with deliberate disregard. Penalty range: $1,424 to $71,162 per violation, with the same annual cap of $2,134,831.

Tier 3: Willful Neglect, Corrected. The violation resulted from willful neglect, but the organization corrected the issue within 30 days of discovery. Penalty range: $14,232 to $71,162 per violation, annual cap of $2,134,831.

Tier 4: Willful Neglect, Not Corrected. The violation resulted from willful neglect and the organization failed to correct it within 30 days. Penalty range: $71,162 to $2,134,831 per violation, annual cap of $2,134,831.

⚠ Warning

"Per violation" does not mean per incident. A single data breach affecting 500 patients could be counted as 500 separate violations, one for each individual whose PHI was exposed. This multiplier is what transforms a seemingly manageable fine into a business-ending liability.

How the OCR Calculates Actual Penalty Amounts

The OCR does not simply assign the maximum penalty in every case. Several factors influence where within each tier's range a penalty lands:

Size and type of organization. Smaller practices with fewer resources may receive lower penalties than large health systems or technology companies.
Number of individuals affected. Breaches affecting thousands face steeper penalties than those affecting a handful of patients.
Duration of the violation. A gap that persisted for years attracts more scrutiny than one discovered and corrected quickly.
The organization's compliance history. Repeat offenders or those with prior complaints face higher penalties.
Financial condition. In rare cases, the OCR considers whether the maximum penalty would result in financial hardship.
Cooperation and corrective actions. Organizations that cooperate with investigations and implement corrective action plans may receive reduced penalties.

The OCR also has the discretion to waive penalties entirely if the violation was not due to willful neglect and was corrected within 30 days. This waiver is uncommon but has been applied in cases where organizations demonstrated strong compliance programs with isolated failures.

Criminal Penalties Under HIPAA

Civil penalties are not the only risk. The Department of Justice (DOJ) prosecutes criminal violations of HIPAA, and these carry potential prison time.

Tier 1: Knowingly obtaining or disclosing PHI. Up to 1 year in prison and a $50,000 fine.

Tier 2: Offenses committed under false pretenses. Up to 5 years in prison and a $100,000 fine.

Tier 3: Offenses committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm. Up to 10 years in prison and a $250,000 fine.

Criminal prosecution is relatively rare, but it does happen. Cases have targeted employees who accessed patient records out of curiosity, individuals who sold patient data, and executives who covered up breaches. The DOJ has also prosecuted identity theft cases where stolen PHI was used for financial fraud.

📝 Note

Criminal HIPAA charges can apply to individuals, not just organizations. An employee who snoops through medical records without authorization can face personal criminal liability, regardless of their employer's compliance posture.

Recent Enforcement Actions and Settlement Trends

OCR enforcement activity provides the clearest picture of current priorities and typical penalty levels.

Banner Health (2023): $1.25 million. A 2016 hacking incident affected 2.81 million individuals. The OCR found failures in risk analysis and access controls. Banner agreed to a corrective action plan alongside the settlement.

Manasa Health Center (2024): $30,000. A small behavioral health clinic settled after failing to provide a patient with access to their records within the required timeframe. Even small practices face enforcement.

LA Care Health Plan (2024): $1.3 million. OCR found potential violations related to a mailing error that exposed PHI of more than 1,400 members. Multiple compliance failures contributed to the settlement amount.

Montefiore Medical Center (2024): $4.75 million. This case involved an insider threat where an employee stole patient data over six months. The OCR found that Montefiore failed to conduct thorough risk analyses and implement proper audit controls.

The trend is clear: the OCR is increasing both the frequency and size of enforcement actions. Between 2020 and 2025, the average settlement amount rose approximately 35%. Small practices are no longer flying under the radar.

State-Level HIPAA Enforcement

State Attorneys General gained the authority to enforce HIPAA under the HITECH Act. Many states have pursued their own actions, sometimes in parallel with federal investigations.

States that have been particularly active include New York, California, Massachusetts, Indiana, and New Jersey. State penalties can be imposed in addition to federal penalties, effectively doubling an organization's financial exposure.

Several states have also enacted their own health data privacy laws that go beyond HIPAA:

California (CCPA/CPRA): Covers health data even outside the traditional HIPAA framework, including data from wellness apps and wearables.
Washington (My Health My Data Act): Applies to consumer health data not covered by HIPAA, with a private right of action.
Connecticut, Nevada, and Colorado have passed similar consumer health data laws.

For organizations operating nationally, compliance with HIPAA alone may not be sufficient. State laws can impose additional requirements and penalties.

The Breach Notification Rule and Its Impact on Penalties

HIPAA requires covered entities to notify affected individuals, HHS, and in some cases the media when a breach of unsecured PHI occurs.

For breaches affecting fewer than 500 individuals: The covered entity must notify affected individuals within 60 days and report to HHS within 60 days after the end of the calendar year.

For breaches affecting 500 or more individuals: Notification to individuals, HHS, and prominent local media outlets must occur within 60 days. These breaches are posted on the OCR's public breach portal, commonly known as the "Wall of Shame."

Failure to provide timely breach notification is itself a HIPAA violation subject to separate penalties. Organizations that delay reporting or attempt to downplay breaches face compounded penalties, as the OCR treats notification failures as evidence of willful neglect.

How to Reduce Your Risk of HIPAA Penalties

Penalties are severe, but they are largely preventable. The OCR consistently identifies the same root causes in enforcement actions, and addressing them proactively reduces both the likelihood of a violation and the severity of any resulting penalty.

Conduct annual risk assessments. The single most cited deficiency in OCR enforcement actions is the failure to perform a thorough risk analysis. Use the NIST Cybersecurity Framework or HHS's Security Risk Assessment Tool as your starting framework.

Implement access controls. Role-based access, unique user IDs, automatic session timeouts, and multi-factor authentication are baseline requirements. Audit who accesses what, and review those logs regularly.

Train your workforce. Every employee who handles or could encounter PHI must receive HIPAA training at onboarding and annually thereafter. Document all training activities.

Encrypt everything. Encryption of ePHI at rest and in transit is an addressable specification under the Security Rule, but in practice it is the standard of care. Unencrypted ePHI that is lost or stolen is presumed to be a breach.

Have an incident response plan. Know exactly who does what when a breach occurs. Test the plan with tabletop exercises at least annually.

Establish BAAs with all vendors. Every subcontractor that handles PHI on your behalf must have a signed Business Associate Agreement. Audit your vendor relationships annually.

Document everything. HIPAA requires six years of documentation retention. Keep policies, risk assessments, training records, BAAs, and incident reports organized and accessible.

💡 Pro Tip

The OCR provides an affirmative defense for organizations that demonstrate they had a comprehensive compliance program in place prior to a violation. Investing in compliance is not just a cost, it is insurance against catastrophic penalties.

Frequently Asked Questions

What is the maximum HIPAA fine per violation?

The maximum civil penalty is $2,134,831 per violation (2026 adjusted amount), with an annual cap of $2,134,831 per violation category. Criminal penalties can reach $250,000 plus up to 10 years in prison for offenses involving intent to sell or misuse PHI.

Can individuals be fined for HIPAA violations?

Yes. Criminal HIPAA penalties apply to individuals, not just organizations. Employees who access PHI without authorization, steal patient data, or disclose PHI for personal gain face fines and potential imprisonment.

How often does the OCR actually enforce HIPAA penalties?

The OCR resolves hundreds of HIPAA complaints annually. In recent years, it has issued 10 to 20 major settlements per year, with dozens of additional corrective action plans. The "Right of Access" initiative alone produced 46 enforcement actions between 2019 and 2025.

Do small practices face HIPAA penalties?

Yes. The OCR has settled with solo practitioners, small clinics, and individual providers. The Manasa Health Center settlement in 2024 ($30,000) demonstrates that practice size does not provide immunity from enforcement.

What triggers an OCR investigation?

Investigations are typically triggered by individual complaints filed with HHS, breach reports submitted under the Breach Notification Rule, or compliance reviews initiated by the OCR. Large breaches (500+ individuals) almost always trigger a formal investigation.

Can a HIPAA violation result in a lawsuit?

HIPAA does not provide a private right of action, meaning individuals cannot sue directly under HIPAA. However, state laws, negligence claims, and class action lawsuits based on data breaches can result in significant additional financial exposure beyond HIPAA penalties.