HIPAA Violation Penalties: Complete Guide 2026

Q: Frequently Asked Questions: HIPAA Penalties

What is the maximum HIPAA fine per incident? The maximum penalty per violation category per calendar year is $2,134,831 (2024 adjusted amount). A single data breach can result in multiple violation categories — failure to encrypt (one category), failure to conduct risk analysis (second category), failure to have BAAs (third category) — each subject to the per-year maximum. The Anthem settlement of $16,000,000 involved violations across multiple categories. There is no single per

ComplianceStack

HIPAA Violation Penalties: Complete Guide to the Four-Tier System, Enforcement Actions, and Mitigation

Last updated: 2026-05-04 — ComplianceStack Editorial Team

HIPAA enforcement has intensified in every measurable way since 2019. The Right of Access Initiative launched that year has already produced over 50 enforcement actions specifically for denying patients record access. OCR's 2023 enforcement actions included a $1.3 million penalty against a covered entity for a single breach — a number that would have seemed extraordinary a decade ago. The penalty structure, the cases OCR selects for investigation, and the factors that drive penalties up or down are not opaque — they are documented in the regulation and in the public record of enforcement. This guide covers every tier of the HIPAA penalty structure, what drives OCR's calculation, state enforcement, criminal exposure, and what organizations can do to reduce their penalty risk.

The Four-Tier HIPAA Penalty Structure (45 CFR §160.404)

HIPAA civil money penalties are organized into four tiers based on the level of culpability. HHS adjusts penalty amounts annually for inflation under the Federal Civil Penalties Inflation Adjustment Act. Current 2024 adjusted amounts:

Tier 1 — Did Not Know (and with reasonable diligence would not have known):
— Minimum per violation: $141
— Maximum per violation: $71,162
— Maximum per violation category per calendar year: $2,134,831

Tier 2 — Reasonable Cause (not willful neglect):
— Minimum per violation: $1,424
— Maximum per violation: $71,162
— Maximum per violation category per calendar year: $2,134,831

Tier 3 — Willful Neglect, Corrected within 30 days:
— Minimum per violation: $14,238
— Maximum per violation: $71,162
— Maximum per violation category per calendar year: $2,134,831

Tier 4 — Willful Neglect, NOT Corrected within 30 days:
— Minimum per violation: $71,162 (mandatory minimum, not discretionary)
— Maximum per violation: $2,134,831
— Maximum per violation category per calendar year: $2,134,831

Key definitions:
— Violation: Each instance of impermissible use or disclosure, each failure to implement a required safeguard. A breach affecting 3,000 patients is 3,000 violations for penalty calculation purposes.
— Violation category: Each distinct HIPAA provision violated. A breach that involves failure to implement encryption (one provision) and failure to conduct a risk analysis (a second provision) constitutes two violation categories — each subject to the per-year maximum.
— Willful neglect: Conscious, intentional failure or reckless indifference to the obligation to comply (45 CFR §160.401). OCR does not require proof of malicious intent — failure to implement basic controls despite knowledge of the requirement qualifies.

For context on how these penalties compare to other frameworks, see the Real Cost of Non-Compliance 2026.

How OCR Calculates Penalties: The Eight Penalty Factors

OCR does not assess the maximum penalty in every case. The regulation at 45 CFR §160.408 lists factors the Secretary must consider in determining the penalty amount:

1. Nature and extent of the violation: How many individuals were affected? Was PHI actually disclosed to unauthorized parties or merely at risk? A breach affecting 500,000 individuals is treated far more seriously than one affecting 100.

2. Nature and extent of the harm: Was financial harm caused (identity theft using PHI)? Physical harm? Reputational harm? Violation of personal dignity? OCR applies higher penalties when harm is demonstrable.

3. History of prior compliance: Organizations with prior violations, prior settlements, or prior corrective action plans receive less favorable treatment in subsequent investigations. OCR maintains a full enforcement history.

4. Financial condition: OCR may reduce penalties for organizations demonstrating financial hardship — but must balance this against adequate deterrence.

5. Whether violation was continuing: A violation that began years ago and continued without correction is treated more seriously than an isolated incident promptly remediated.

6. Whether willful neglect was involved: Willful neglect triggers the mandatory minimum tier and significantly increases the practical penalty range.

7. Timely corrective action: Organizations that identify, disclose, and remediate violations promptly receive favorable treatment. Voluntary self-disclosure to OCR before OCR learns of the violation is a significant mitigating factor.

8. Other matters as justice may require: OCR has discretion to consider any additional relevant facts.

Practical implication: organizations that conduct risk analyses, implement corrective actions, and report breaches promptly — even when those breaches result in investigations — face materially lower penalties than those that ignore violations until they are discovered externally. The HIPAA Risk Calculator helps identify which violation categories create the highest penalty exposure for your organization.

Major OCR Enforcement Actions by Penalty Amount

OCR's enforcement record provides the most accurate picture of what violations actually cost:

Advocate Health Care Network (2016): $5,550,000 — Three laptops containing PHI were stolen from vehicles. The largest HIPAA settlement at the time. Violations included failure to implement encryption, failure to conduct an enterprise-wide risk analysis, and failure to have device and media controls. The unencrypted laptops violated the technical safeguard requirements — and OCR cited the failure to even conduct a risk analysis that would have identified this as the primary violation.

Anthem Inc. (2018): $16,000,000 — Largest HIPAA settlement ever. 78.8 million individuals' PHI exposed in a cyberattack. OCR found failures in risk analysis, risk management, and information system activity review. The scale of the breach and the fundamental character of the missing safeguards drove the record settlement.

UCLA Health (2016): $865,000 — Unauthorized employees accessed celebrity patient records. OCR cited failure to restrict workforce access to the minimum necessary, failure to implement access controls limiting access based on role, and failure to have a process for regular review of audit logs.

Memorial Hermann Health System (2017): $2,400,000 — Press release included the name of a patient. Marketing material disclosed PHI without patient authorization. The size of the organization and the public nature of the disclosure drove the penalty.

Right of Access cases (2019-2024): Over 50 enforcement actions specifically for denying patients timely access to records. Penalties range from $3,500 (small private practice) to $240,000 (large health system). The sheer number of cases demonstrates that OCR views access rights violations as a systematic enforcement priority, not a secondary concern.

For comprehensive data on enforcement costs across all frameworks, see the Real Cost of Non-Compliance 2026.

State Attorney General Enforcement Under HIPAA

State attorneys general have independent authority to bring civil actions for HIPAA violations under 42 U.S.C. §1320d-5(d) (HITECH Act, 2009). This creates a second enforcement track entirely separate from OCR:

State authority: AGs can bring civil actions in federal district court on behalf of state residents. Penalties: $100 per violation, up to $25,000 for all violations of an identical requirement or prohibition in a calendar year. State AG enforcement can stack on top of OCR penalties — separate proceedings, separate penalty calculations.

Notable state enforcement actions:
— Indiana AG (2022): $350,000 settlement with specialty physician practice for breach affecting 300,000 patients — pursued simultaneously with OCR investigation.
— New York AG: Multiple healthcare HIPAA enforcement actions, including actions against insurance companies for inadequate safeguards affecting millions of NY residents.
— Texas AG: Active HIPAA enforcement program with focus on healthcare data brokers and apps that share PHI without authorization.

State health privacy laws: Several states have enacted health privacy laws stricter than HIPAA that create independent violation exposure. California's Confidentiality of Medical Information Act (CMIA) provides for civil damages per violation. New York's SHIELD Act imposes breach notification and security requirements. Texas Health & Safety Code Chapter 181 requires specific security measures for electronic health information. These state laws are not preempted by HIPAA where they provide greater privacy protections.

For a complete assessment of your state-specific compliance exposure, see the HIPAA Framework Overview.

Criminal Penalties Under 42 U.S.C. §1320d-6

HIPAA also provides for criminal penalties — not just civil monetary penalties. Criminal prosecution is pursued through the Department of Justice, not OCR. Three tiers:

Unknowing HIPAA violation: Up to 1 year imprisonment and/or up to $50,000 fine.

Violation under false pretenses: Up to 5 years imprisonment and/or up to $100,000 fine.

Violation with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm: Up to 10 years imprisonment and/or up to $250,000 fine.

Criminal prosecution typically targets individuals, not organizations — physicians who access celebrity patient records, employees who steal PHI to commit identity fraud, and organized schemes to sell patient data. However, the criminal exposure creates personal liability for executives and compliance officers who knowingly approve non-compliant practices.

Important distinction: Criminal prosecution does not require OCR investigation or civil penalty first. DOJ can prosecute independently and has done so in multiple cases involving healthcare employees who accessed PHI for personal reasons.

For a complete view of non-compliance costs beyond HIPAA — including SOX, OSHA, and GDPR penalties — see the Real Cost of Non-Compliance 2026. The full HIPAA framework is at Complete HIPAA Compliance Guide 2026.

How to Reduce HIPAA Penalty Exposure

OCR's enforcement record and the 45 CFR §160.408 factors point to a consistent set of risk-reduction strategies:

Conduct and document a current risk analysis: The risk analysis requirement is the most cited violation in OCR investigations. Organizations that have documented risk analyses — even imperfect ones — demonstrate good faith effort. Organizations with no documented risk analysis face willful neglect characterization. The OCR HIPAA Audit Protocol and NIST SP 800-66 Rev. 2 provide the methodology. The HIPAA Risk Calculator provides a free starting point.

Implement and document security controls: Encryption, access controls, and audit logging are the three Security Rule technical safeguards most commonly cited in large settlements. Documented implementation — configuration records, vendor agreements, testing results — is evidence that controls are in place.

Train workforce annually: Workforce training documentation is required for six years. Organizations that cannot produce training records face the inference that training was not conducted.

Report and self-disclose promptly: Voluntary self-disclosure to OCR before external discovery is treated as a mitigating factor under 45 CFR §160.408. Organizations that discovered violations and fixed them before OCR involvement receive materially more favorable treatment than those who concealed or delayed.

Execute and maintain Business Associate Agreements: Failure to have BAAs is an independent violation category with its own penalty tier. Every vendor BAA reduces the maximum exposure by one violation category.

Respond to patient access requests on time: Given the Right of Access Initiative, failure to respond to access requests within 30 days creates a specific enforcement risk. Implement a documented process with a tracking system.

Frequently Asked Questions: HIPAA Penalties

What is the maximum HIPAA fine per incident?
The maximum penalty per violation category per calendar year is $2,134,831 (2024 adjusted amount). A single data breach can result in multiple violation categories — failure to encrypt (one category), failure to conduct risk analysis (second category), failure to have BAAs (third category) — each subject to the per-year maximum. The Anthem settlement of $16,000,000 involved violations across multiple categories. There is no single per-incident cap — the total exposure scales with the number of violations, the number of affected individuals, and the number of distinct regulatory requirements that were violated. Use the HIPAA Risk Calculator to estimate your penalty exposure by violation category.

Can OCR investigate if we reported the breach ourselves?
Yes — OCR investigates based on breach reports. All breaches affecting 500+ individuals are automatically posted to OCR's public breach portal and may trigger OCR investigation. Small breaches (under 500 individuals) reported in the annual log are reviewed less frequently but can be investigated. Self-reported breaches are not protected from investigation — but voluntary self-disclosure and prompt corrective action are mitigating factors under 45 CFR §160.408 that materially reduce the penalty calculation. Organizations that discover and self-report breaches, implement corrective action, and cooperate with OCR investigation consistently receive lower penalties than those where OCR learns of violations through complaints or external discovery.

How long does OCR have to bring a penalty action?
The statute of limitations for HIPAA civil money penalties is 6 years from the date the violation occurred (42 U.S.C. §1320d-5(b)(2)). For continuing violations — where non-compliance persists over multiple years, such as a failure to conduct annual risk analyses — each year of non-compliance is a separate violation within the 6-year lookback window. Organizations should maintain HIPAA documentation for at least 6 years from creation or last effective date (45 CFR §164.530(j)) to be able to defend against penalty calculations for the full lookback period.

Calculate Your HIPAA Penalty Exposure Now

The free ComplianceStack HIPAA Risk Calculator identifies which violation categories create the highest penalty exposure for your organization and provides a prioritized remediation roadmap. No signup required.

Run the Free HIPAA Risk Assessment →