HIPAA Violation Fines: Current Dollar Amounts & Exposure Calculator

Last updated: 2026-04-13 — ComplianceStack Editorial Team

HIPAA civil money penalties (CMPs) are real, substantial, and increasingly common. HHS OCR collected over $14 million in penalties in 2023 alone. The penalty range — from $141 for an unknowing violation to $2,134,831 for willful neglect not corrected — depends heavily on culpability tier, violation count, entity size, and cooperation level. This page gives you the exact dollar figures, the calculation method, and a free interactive calculator to estimate your organization's fine exposure.

Regulatory Authority: 45 CFR § 160.404 (civil money penalties) and § 160.408 (factors considered in CMP determination), as inflation-adjusted per 45 CFR § 102.3 (2026 figures)

HIPAA Penalty Exposure Calculator

Tell us about your organization and the violation scenario. We'll estimate your potential fine range, identify the most likely penalty tier, and outline what factors could reduce your exposure.

Free · Instant · Based on real enforcement patterns

Penalty Tier Breakdown

Tier 1 — Unknowing Violation

$141 – $71,162
Annual max: $2,134,831 per violation category

The covered entity did not know, and with reasonable diligence could not have known, about the HIPAA violation. This is the lowest tier and OCR has discretion to waive penalties entirely if the entity demonstrates good faith.

Example: A clinic emailed patient lab results to the wrong patient because of a duplicate name in the EHR. The clinic had reasonable safeguards in place but the software had an undiscovered matching bug.

Tier 2 — Reasonable Cause

$1,424 – $71,162
Annual max: $2,134,831 per violation category

The covered entity knew — or should have known with reasonable diligence — about the violation, but the violation was not due to willful neglect. The entity had resources to comply but didn't prioritize it sufficiently.

Example: A small medical practice failed to conduct a required annual risk assessment for three years. An IT vendor had flagged the gap in a system audit but the practice didn't follow up.

Tier 3 — Willful Neglect, Corrected

$14,238 – $71,162
Annual max: $2,134,831 per violation category

The violation resulted from conscious or reckless disregard of HIPAA obligations — but the entity corrected the problem within 30 days of discovering it. OCR must impose a CMP at this tier but corrective action affects the final amount.

Example: A covered entity shared PHI with a vendor that had no BAA in place for 18 months. When an internal compliance review identified the gap, the entity executed a retroactive BAA within two weeks and self-reported to OCR.

Tier 4 — Willful Neglect, Not Corrected

$71,162 – $2,134,831
Annual max: $2,134,831 per violation category

The most severe tier. The entity consciously, intentionally, or recklessly violated HIPAA and failed to correct the violation within 30 days. OCR cannot waive penalties at this tier — a CMP is mandatory.

Example: A large hospital system received multiple OCR complaint letters about patients not receiving their medical records within 30 days. The organization acknowledged receipt but took no corrective action for over a year.

How Penalties Are Calculated

OCR calculates HIPAA fines per violation, per violation category, per calendar year. Multiple violations of the same HIPAA provision are capped at $2,134,831/year — but violations of different provisions stack independently. Key factors that drive penalties up: number of individuals affected, duration of noncompliance, and whether harm resulted. Key factors that drive penalties down: self-reporting, full cooperation with OCR, no prior violations, rapid corrective action, and demonstrating financial hardship. Most enforcement actions settle via Resolution Agreement rather than formal CMP — the settlement amount is typically 30–70% lower than the maximum CMP exposure in exchange for a corrective action plan.

Recent Enforcement Actions

2024 — Cascade Eye and Skin Centers (Washington State)
Impermissible disclosure of 291,000 patients' PHI in a ransomware attack; failure to implement required Security Rule safeguards
Penalty: $750,000 — Tier 3/4 (Willful Neglect)
Source: HHS OCR Resolution Agreement, March 2024
2024 — Montefiore Medical Center (New York)
Failure to conduct risk analysis; insufficient access controls allowing an employee to steal patient data
Penalty: $4,750,000 — Tier 3 (Willful Neglect, Corrected)
Source: HHS OCR Civil Money Penalty, 2024
2023 — MedEvolent Health (Multi-state)
Unlawful use of patient PHI for marketing without authorization; no minimum necessary safeguards
Penalty: $450,000 — Tier 3 (Willful Neglect, Corrected)
Source: HHS OCR Resolution Agreement, 2023
2022 — Lafourche Medical Group (Louisiana)
Ransomware attack compromising PHI of 34,862 patients; no prior risk analysis ever conducted
Penalty: $480,000 — Tier 2/3 (Reasonable Cause / Willful Neglect)
Source: HHS OCR Resolution Agreement, June 2022

Run Your Free Penalty Exposure Assessment

Use the calculator above to get your organization-specific fine range in under 2 minutes.

 Compliance Quiz →
🔔

Get enforcement alerts before they hit the news

Weekly enforcement actions, penalty updates, and regulatory changes for HIPAA. Free, no spam, unsubscribe anytime.

Frequently Asked Questions

What is the maximum fine OCR can impose for a single HIPAA violation?

The maximum is $2,134,831 per violation category per calendar year (2026 inflation-adjusted figures for Tier 4 willful neglect). However, this is a per-category annual cap. If a covered entity violated multiple distinct HIPAA provisions, each violation category has its own $2,134,831 annual cap. A single OCR enforcement action can result in multimillion-dollar penalties if multiple provisions were violated across a period of years.

Can OCR waive HIPAA fines entirely?

Yes — for Tier 1 (unknowing) and Tier 2 (reasonable cause) violations, OCR has discretion to waive penalties if the entity demonstrates the violation was not due to willful neglect. Waiver is more likely when: the entity self-reported proactively, cooperated fully, implemented robust corrective action, and has no prior violations. Tier 3 and Tier 4 (willful neglect) penalties cannot be waived — OCR is required by statute to impose a CMP.

Are HIPAA fines in addition to breach notification costs?

Yes. HIPAA civil money penalties are separate from breach notification costs, state attorney general penalties (up to $25,000/year per violation), private litigation costs, and cybersecurity remediation expenses. The total cost of a HIPAA enforcement action regularly exceeds the OCR penalty amount by 2–5×.

More HIPAA Resources