HIPAA Violation Penalties and Fines: Current Tiers, Amounts, and Enforcement

TL;DR

Civil penalties run from $145 (Tier 1 minimum) to $2,190,294 (Tier 4 maximum per violation) under the January 28, 2026 inflation adjustment.
The four tiers are defined in 42 U.S.C. § 1320d-5 and distinguish between unknowing violations, reasonable cause, corrected willful neglect, and uncorrected willful neglect.
Criminal penalties under 42 U.S.C. § 1320d-6 reach $250,000 and 10 years in prison for offenses involving intent to sell PHI.
OCR runs three concurrent enforcement initiatives: Right of Access (54 actions since 2019), a Risk Analysis Initiative (launched October 2024), and a dedicated ransomware track.
The most common cited deficiency in enforcement actions is failure to conduct an accurate and thorough risk analysis.

Who this is for: Covered entities, business associates, and vendors handling protected health information who need current penalty figures for financial planning, board reporting, or contract negotiations. This article covers U.S. federal civil and criminal penalties only. State-level exposure is addressed in a separate section.

The Four-Tier Civil Penalty Structure

The HITECH Act of 2009 amended 42 U.S.C. § 1320d-5 to create a four-tier penalty structure tied to culpability. HHS adjusts the amounts each January under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The current amounts, effective January 28, 2026, are codified in 45 CFR Part 102 and were published in the Federal Register on January 28, 2026.

Tier	Culpability standard	Per-violation minimum	Per-violation maximum	Annual cap
1	Did not know and could not have known	$145	$73,011	$2,190,294
2	Reasonable cause, not willful neglect	$1,461	$73,011	$2,190,294
3	Willful neglect, corrected within 30 days	$14,602	$73,011	$2,190,294
4	Willful neglect, not corrected	$73,011	$2,190,294	$2,190,294

The statutory maximum for Tiers 1 through 3 is the same: $73,011 per violation. The practical difference between tiers shows up in the minimum, which rises sharply as culpability increases.

One note on OCR discretion: OCR has historically applied lower annual caps for Tiers 1, 2, and 3 under an enforcement discretion policy initially announced in 2019. Under those discretionary caps (adjusted for the same 2026 inflation factor), the effective annual ceilings are approximately $36,505 (Tier 1), $146,053 (Tier 2), and $365,052 (Tier 3). OCR is not required to apply these lower caps, and the statutory caps remain binding when OCR chooses not to exercise discretion.

What "per violation" actually means

A single breach affecting 1,000 patients can be treated as 1,000 separate violations, one per individual whose PHI was exposed. That multiplier turns a Tier 4 minimum of $73,011 into a $73,011,000 floor before the annual cap applies. The cap does limit aggregate liability within a calendar year, but an organization with multiple concurrent failures in different rule areas faces separate annual caps per violation category.

How OCR Determines Where a Penalty Lands Within a Tier

OCR does not default to the maximum. The factors codified in 45 CFR § 160.408 include:

The nature and extent of the violation, including how many individuals were affected
The nature and extent of the harm resulting from the violation
The organization's history of prior violations
The organization's financial condition
Cooperation with OCR during the investigation
Whether corrective actions were taken before or during the investigation

OCR may also waive penalties for Tier 1 and Tier 2 violations that were corrected within 30 days of the organization learning of them. This waiver requires that the violation was not due to willful neglect. It is exercised selectively, and an organization must affirmatively demonstrate it had a functioning compliance program with an isolated failure — not a systemic gap.

Criminal Penalties Under 42 U.S.C. § 1320d-6

The Department of Justice, not OCR, handles criminal HIPAA enforcement. As detailed in the DOJ Office of Legal Counsel's analysis of 42 U.S.C. § 1320d-6, the statute creates three penalty tiers:

Knowingly obtaining or disclosing PHI without authorization: Up to 1 year in prison and a $50,000 fine. This covers employees who access records for personal curiosity, staff who share PHI with unauthorized parties, and similar knowing but non-commercial disclosures.

Offenses committed under false pretenses: Up to 5 years in prison and a $100,000 fine. This tier applies when the violation involved misrepresentation to obtain PHI.

Offenses with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm: Up to 10 years in prison and a $250,000 fine. This is the tier applied in the Montefiore case, where an employee stole records and sold them to identity thieves.

Criminal liability applies to individuals directly, not just to their employers. In the Des Moines case prosecuted by the DOJ's SDIA office, an individual received 27 months in federal prison for criminal HIPAA violations — a sentence well within the Tier 3 maximum. Corporate criminal liability can also attach to covered entities and business associates under general principles of respondeat superior.

Named Enforcement Actions: What OCR Has Actually Done

The OCR Resolution Agreements page lists every settlement. The cases below are drawn from confirmed HHS press releases and announcements.

2024 enforcement actions

Montefiore Medical Center — $4.75 million (February 6, 2024). An employee accessed 12,517 patient records and sold them to identity thieves over a six-month period. OCR found that Montefiore failed to conduct adequate risk analysis, failed to review information system activity, and failed to implement audit controls. The corrective action plan runs two years and requires a full overhaul of audit and access monitoring procedures.

Gulf Coast Pain Consultants — $1.19 million (December 2024). Between September 2018 and February 2019, a contractor's credentials were used to access PHI of more than 34,000 individuals, and that information was subsequently used to file 6,500 false Medicare claims. OCR cited inadequate risk assessment and failure to regularly review information system activity. HHS reduced the final penalty to $1.1 million to reflect the organization's subsequent security improvements.

Children's Hospital Colorado — $548,265 (December 5, 2024). Two phishing attacks compromised email accounts containing PHI of over 14,000 individuals. In both incidents, employees provided credentials to the attacker. OCR found Privacy and Security Rule violations, including the fact that multi-factor authentication was disabled on at least one affected account.

Inmediata Health Group — $250,000 (December 2024). From May 2016 through January 2019, PHI belonging to 1,565,338 individuals was publicly accessible via search engines due to a misconfigured website. Inmediata is a health care clearinghouse.

2025 enforcement actions

Warby Parker — $1,500,000 (2025). OCR imposed a civil monetary penalty following a credential-stuffing attack that affected 197,986 individuals between September and November 2018. This is notable because Warby Parker is an eyewear retailer, not a traditional health care provider — but the PHI involved eyewear prescription information, bringing it within HIPAA scope. OCR found three Security Rule violations: no accurate risk analysis, no implementation of sufficient security measures, and no procedure for regular review of information system activity.

Comstar, LLC — $75,000 (May 30, 2025). A Massachusetts billing services company settled a ransomware investigation. The breach affected 585,621 individuals. HHS press release is available.

BST & Co. CPAs, LLP — $175,000 (August 18, 2025). A New York accounting firm, functioning as a business associate, settled a ransomware Security Rule violation.

Concentra, Inc. — $112,500 (December 16, 2025). Occupational health services provider settled a Right of Access violation, marking the 54th enforcement action under OCR's Right of Access Initiative. HHS press release.

Pattern across cases

The common thread in the penalty cases above: failure to conduct an accurate and thorough risk analysis. It appears in every major enforcement action. OCR's Risk Analysis Initiative, launched in October 2024, was created specifically because this single requirement is the most consistently missed. As of early 2026, the initiative has produced 13 completed investigations with combined settlement payments of approximately $900,000.

OCR's Current Enforcement Priorities

OCR runs three enforcement initiatives simultaneously. Understanding which one is most likely to affect your organization matters for prioritization.

Right of Access Initiative (launched 2019)

OCR began pursuing Right of Access complaints after receiving a pattern of failures from individuals who requested their records and received no response or an unreasonably delayed one. 54 enforcement actions have been resolved under this initiative as of December 2025. Penalties have generally been smaller than breach-related cases, ranging from $3,500 to $240,000, because the violations are often correctable and do not involve harm to large numbers of individuals. However, the volume of actions demonstrates that OCR will pursue small practices.

Risk Analysis Initiative (launched October 2024)

OCR announced this initiative after finding that risk analysis failures appear in virtually every significant breach investigation. The first penalty under this initiative was $90,000 against Bryan County Ambulance Authority in Oklahoma. Eight settlements were resolved within the first six months. The initiative targets covered entities and business associates that have experienced breaches but cannot demonstrate that a timely, accurate risk analysis was in place.

Ransomware and cybersecurity track

OCR's 2024 audit program reviewed 50 covered entities' and business associates' compliance with Security Rule provisions most relevant to hacking and ransomware. According to HHS enforcement data, large breaches caused by hacking increased 89% and ransomware-related breaches increased 102% between 2019 and 2023. OCR has settled multiple ransomware investigations, including Comstar and BST & Co. The proposed HIPAA Security Rule NPRM, published December 27, 2024, would make several cybersecurity controls mandatory that are currently categorized as addressable specifications.

The Breach Notification Rule and Penalty Compounding

A reportable breach creates two separate penalty exposures: one for the underlying Security or Privacy Rule failure, and one for any notification delay or omission. The timing requirements under 45 CFR § 164.404 are:

Breaches affecting fewer than 500 individuals: notify affected individuals within 60 days of discovery; report to HHS within 60 days after the end of the calendar year.
Breaches affecting 500 or more individuals in the same state or jurisdiction: notify individuals, HHS, and prominent local media outlets within 60 days of discovery. These are posted on OCR's public breach portal.

OCR treats late or incomplete notification as a separate violation. In practice, a breach that triggered a Tier 2 civil penalty for the underlying Security Rule gap can also generate a Tier 3 or Tier 4 penalty if the organization delayed reporting — because the delay is typically treated as willful neglect once the organization was aware of the breach.

State-Level Exposure

State Attorneys General gained HIPAA enforcement authority under HITECH. State penalties are imposed on top of, not instead of, federal penalties.

New York, California, Massachusetts, Indiana, and New Jersey have been the most active. Several states have also enacted health data privacy statutes that cover categories of data outside HIPAA's scope:

California (CCPA/CPRA): Covers health data from wellness apps, wearables, and consumer-facing services that are not traditional covered entities.
Washington (My Health My Data Act): Covers consumer health data regardless of HIPAA status, and includes a private right of action — meaning individuals can sue without waiting for a state AG investigation.
Connecticut, Nevada, and Colorado have enacted similar laws with overlapping scope.

For organizations with national operations or a consumer health product, a HIPAA-compliant program alone does not fully cover state exposure. The Washington law's private right of action is particularly material because it does not require an AG investigation to trigger litigation.

What Actually Reduces Penalty Risk

OCR enforcement actions consistently cite the same failures. Addressing them directly is the most reliable way to reduce both the probability of a violation and the severity of any penalty that does arise.

Conduct a documented risk analysis and keep it current. The HHS Security Risk Assessment Tool provides a structured format. An undated, incomplete, or never-updated risk analysis is treated as no analysis in enforcement proceedings. OCR expects annual updates and updates after material changes to systems or operations.

Implement audit controls. The Montefiore case involved an employee with legitimate access who used it maliciously for six months before discovery. Periodic automated review of access logs — not just access controls — is what detects that pattern.

Enable multi-factor authentication. The Children's Hospital Colorado phishing cases and the Warby Parker credential-stuffing case both turned on the absence of MFA on accounts holding ePHI. MFA is currently an addressable specification; the proposed HIPAA Security Rule NPRM would make it mandatory.

Review all business associate agreements annually. Every contractor or subcontractor that processes PHI on your behalf must have a signed, current BAA. Vendor acquisitions, platform changes, and subprocessor relationships frequently create undocumented BAA gaps.

Create a written incident response plan and test it. Organizations that detect breaches quickly, limit scope, and notify timely receive more favorable treatment from OCR than those whose response is disorganized or delayed. Tabletop exercises create documentation that demonstrates preparedness.

Retain compliance documentation for six years. HIPAA's retention requirement under 45 CFR § 164.530(j) covers policies, procedures, risk assessments, training records, BAAs, and incident reports. OCR requests this documentation in every investigation; gaps in records imply gaps in practice.

Mini-FAQ

What is the current maximum civil penalty per violation?

$2,190,294, effective January 28, 2026. This applies to Tier 4 (willful neglect, not corrected). The figure adjusts annually. Source: Federal Register, January 28, 2026.

Can employees face personal HIPAA liability?

Yes. Criminal penalties under 42 U.S.C. § 1320d-6 apply to individuals. An employee who accesses records without authorization, even without selling them, faces up to one year in prison and a $50,000 fine. The employer's compliance program does not eliminate individual criminal exposure.

Does practice size affect enforcement risk?

No. The Concentra settlement ($112,500) resolved a Right of Access violation at an occupational health chain. OCR has also settled with solo practitioners and small clinics. Practice size can influence where within a tier's range a penalty falls (OCR considers financial condition), but it does not determine whether OCR pursues a complaint.

What triggers an OCR investigation?

Three paths: an individual complaint filed with HHS, a breach report submitted under the Breach Notification Rule (500+ individual breaches receive near-automatic review), and OCR-initiated compliance reviews. OCR may also receive referrals from state AGs or other federal agencies.

Can patients sue under HIPAA?

No. HIPAA does not provide a private right of action. Patients cannot file a lawsuit directly under HIPAA. They can, however, file a complaint with OCR. Separately, state negligence laws, state health data privacy statutes (especially Washington's My Health My Data Act), and breach-related class action theories provide civil litigation pathways that are independent of HIPAA enforcement.

How does OCR handle ransomware breaches?

Ransomware is presumed to be a reportable breach under HIPAA unless the organization can demonstrate that PHI was not accessed or exfiltrated. The encrypted-but-not-accessed argument is difficult to make without forensic evidence. OCR has settled multiple ransomware cases and its 2024 audit program specifically targeted ransomware-relevant Security Rule provisions.

Penalty amounts in this article reflect the January 28, 2026 Federal Register inflation adjustment. OCR adjusts these figures each January; verify current amounts at 45 CFR Part 102 before using them in financial planning or legal documents.

Sources used

January 28, 2026 inflation adjustment — accessed 2026-05-12
42 U.S.C. § 1320d-5 — accessed 2026-05-12
42 U.S.C. § 1320d-6 — accessed 2026-05-12
Right of Access — accessed 2026-05-12
Risk Analysis Initiative — accessed 2026-05-12
45 CFR § 160.408 — accessed 2026-05-12
Des Moines case prosecuted by the DOJ's SDIA office — accessed 2026-05-12
OCR found — accessed 2026-05-12
OCR cited — accessed 2026-05-12
OCR imposed a civil monetary penalty — accessed 2026-05-12
HHS press release — accessed 2026-05-12
settled a ransomware Security Rule violation — accessed 2026-05-12
HHS press release — accessed 2026-05-12
54 enforcement actions — accessed 2026-05-12
HHS enforcement data — accessed 2026-05-12
proposed HIPAA Security Rule NPRM — accessed 2026-05-12
45 CFR § 164.404 — accessed 2026-05-12
HHS Security Risk Assessment Tool — accessed 2026-05-12
45 CFR § 164.530(j) — accessed 2026-05-12
45 CFR Part 102 — accessed 2026-05-12

Last reviewed: 2026-05-12. This article was prepared by the Security Compliance Guide Editorial Team. We use AI to draft initial summaries of publicly available cybersecurity compliance documentation, then verify every claim against primary sources before publication. We are not licensed auditors, attorneys, or compliance consultants. For binding decisions, consult a qualified professional. See our editorial standards for full sourcing rules.