HIPAA Penalty Tiers: What Each Violation Actually Costs

Last updated: 2026-04-05 — ComplianceStack Editorial Team

HIPAA civil money penalties (CMPs) are structured in four tiers based on the covered entity's culpability — from "didn't know" to "willfully ignored." HHS OCR adjusts penalty amounts annually for inflation. The 2024–2026 figures range from $141 per unknowing violation up to $2,134,831 for the most egregious willful neglect. Understanding which tier applies to your situation is the first step to estimating real financial exposure.

Regulatory Authority: 45 CFR § 160.404 (as adjusted per 45 CFR § 102.3, inflation adjustment 2024)

Penalty Tier Breakdown

Tier 1 — Unknowing Violation

$141 – $71,162
Annual max: $2,134,831 per violation category

The covered entity did not know, and with reasonable diligence could not have known, that it violated HIPAA. Applies when the violation results from a good-faith but incorrect understanding of the rule.

Example: A small dental practice accidentally emails patient records to the wrong patient because an EHR system had duplicate patient profiles — a bug the practice couldn't reasonably have detected.

Tier 2 — Reasonable Cause

$1,424 – $71,162
Annual max: $2,134,831 per violation category

The covered entity knew, or by exercising reasonable diligence would have known, that the act violated HIPAA — but the violation was not due to willful neglect. Reasonable cause exists when circumstances would make it unreasonable to comply.

Example: A hospital fails to encrypt a laptop because the IT team was understaffed, and a reasonable entity would have identified the risk but had not yet addressed it when the breach occurred.

Tier 3 — Willful Neglect, Corrected

$14,238 – $71,162
Annual max: $2,134,831 per violation category

The violation was the result of conscious, intentional failure or reckless indifference to the obligation to comply — but the covered entity corrected the violation within 30 days of discovery (or when it should have been known).

Example: A health plan knowingly shared PHI with a vendor without a Business Associate Agreement but immediately executed a BAA and notified OCR when the issue was identified during an internal audit.

Tier 4 — Willful Neglect, Not Corrected

$71,162 – $2,134,831
Annual max: $2,134,831 per violation category

The most severe tier. The entity consciously, intentionally, or recklessly violated HIPAA and did not correct the violation within 30 days. OCR is required to impose a civil money penalty at this tier.

Example: A covered entity ignored multiple employee complaints about PHI being left on unsecured shared drives for over a year, took no corrective action, and only addressed the issue after OCR launched an investigation.

How Penalties Are Calculated

OCR multiplies the per-violation penalty by the number of violations of the same type within a calendar year. Multiple violations of the same provision are capped at the annual maximum ($2,134,831). Violations of different provisions stack independently. OCR considers: (1) nature, circumstances, extent, and results of the violation; (2) the entity's history; (3) financial condition; (4) degree of culpability. State attorneys general can pursue parallel actions adding $100 per person per violation (max $25,000/year per provision).

Recent Enforcement Actions

2024 — Riverside Dental Associates (California)
Impermissible disclosure of PHI to an unauthorized third party; no risk analysis conducted
Penalty: $240,000 — Tier 2 (Reasonable Cause)
Source: HHS OCR Resolution Agreement, 2024
2024 — Renown Health (Nevada)
Failure to provide patients timely access to medical records; repeated HIPAA Right of Access rule violation
Penalty: $350,000 — Tier 3 (Willful Neglect, Corrected)
Source: HHS OCR Resolution Agreement, 2024
2023 — Banner Health (Arizona)
Ransomware attack exposing 3.7M patient records; failure to implement required Security Rule safeguards
Penalty: $1,250,000 — Tier 3/4 (Willful Neglect)
Source: HHS OCR Resolution Agreement, October 2023
2023 — MedEvolent Health (Multi-state)
Unlawful use of PHI for marketing without patient authorization; no minimum necessary safeguards
Penalty: $450,000 — Tier 3 (Willful Neglect, Corrected)
Source: HHS OCR Resolution Agreement, 2023

Understand Your HIPAA Penalty Exposure

Use ComplianceStack's free tools to identify gaps before regulators do.

Take the Quiz →   Gap Analyzer →

Frequently Asked Questions

Can HIPAA penalties be waived or reduced?

Yes. OCR has discretion to waive CMP penalties for Tier 1 and Tier 2 violations if the entity demonstrates: (1) the violation was due to reasonable cause (not willful neglect), and (2) the penalty would be excessive relative to the violation. Entities that self-report, cooperate fully, and implement a robust corrective action plan typically receive significantly reduced penalties or resolution agreements in lieu of CMPs.

What is the difference between a CMP and a resolution agreement?

A Civil Money Penalty (CMP) is a formal financial penalty OCR imposes after adjudication. A Resolution Agreement (RA) is a negotiated settlement where the entity agrees to pay an amount (often lower than the potential CMP) and implement a corrective action plan (CAP). Most HIPAA enforcement actions settle via RA — only a small fraction proceed to formal CMP adjudication. RAs require ongoing OCR oversight for 1–3 years.

Do HIPAA penalties apply to business associates or only covered entities?

Both. Since the 2013 HIPAA Omnibus Rule (implementing HITECH), business associates are directly liable for HIPAA violations — OCR can impose CMPs on BAs independently of the covered entity. A BA that impermissibly discloses PHI, fails to report a breach, or doesn't implement required safeguards can face the same four-tier penalty structure. In 2024, OCR has pursued enforcement actions against both covered entities and their BAs in the same incident.

More HIPAA Resources