HIPAA Willful Neglect Penalties: The Highest Tier, Mandatory Enforcement & Criminal Referral

Last updated: 2026-04-05 — ComplianceStack Editorial Team

HIPAA's willful neglect tier represents the most severe category of civil penalties — and uniquely, OCR is legally required to impose a civil money penalty when willful neglect is found. Congress defined willful neglect as 'conscious, intentional failure or reckless indifference to the obligation to comply' with HIPAA. Two subtypes exist: Tier 3 (willful neglect corrected within 30 days) and Tier 4 (willful neglect not corrected). Current 2024–2025 penalty ranges: Tier 3 — $14,238 to $71,162 per violation, up to $2,134,831 annually; Tier 4 — $71,162 to $2,134,831 per violation. For the most egregious cases, HIPAA also authorizes criminal referral to the Department of Justice, with fines up to $250,000 and up to 10 years in federal prison.

Regulatory Authority: 42 U.S.C. § 17944 (willful neglect — mandatory CMP); 45 CFR § 160.404 (penalty tiers); 42 U.S.C. § 1320d-6 (criminal penalties); HHS OCR Enforcement Rule (45 CFR Part 160, Subpart D)

Penalty Tier Breakdown

Tier 3 — Willful Neglect, Corrected Within 30 Days

$14,238 – $71,162

Annual max: $2,134,831 per violation category

A covered entity or BA acted with conscious, intentional failure or reckless indifference to HIPAA requirements — but corrected the violation within 30 days of the date it discovered, or should have discovered, the violation. The 30-day correction window is strictly enforced: OCR measures from the earlier of the date the entity actually knew or should have known. Corrections must be substantive (e.g., implementing the missing safeguard, executing the BAA, completing the notification), not merely acknowledging the problem. OCR has significant discretion within the $14,238–$71,162 range.

Example: A medical group knowingly operates without a HIPAA-compliant risk analysis for two years. During an OCR compliance review, it immediately commissions and completes a risk analysis within 22 days. OCR finds Tier 3 (corrected within 30 days) and imposes a $185,000 resolution agreement covering the two-year period of non-compliance.

Tier 4 — Willful Neglect, Not Corrected

$71,162 – $2,134,831

Annual max: $2,134,831 per violation category

The most severe HIPAA civil money penalty tier. OCR is required by statute (42 U.S.C. § 17944(a)(1)) to impose a civil money penalty when it finds Tier 4 willful neglect — it cannot waive or reduce to zero. The violation was not corrected within 30 days of discovery (or when it should have been discovered). Large organizations with significant resources that ignore persistent HIPAA compliance failures over extended periods are the most common Tier 4 enforcement targets. Multi-million dollar penalties are standard at this tier.

Example: A hospital network receives multiple employee reports about unsecured PHI on shared network drives over 14 months and takes no corrective action until a journalist publishes a story. OCR finds Tier 4 and imposes a $4,750,000 CMP — the violation was known for over a year and not corrected within 30 days of initial discovery.

Criminal Referral — Negligent Disclosure

Up to $50,000 fine + up to 1 year imprisonment

Annual max: Per criminal count; multiple counts possible

Under 42 U.S.C. § 1320d-6, individuals who knowingly and in violation of HIPAA obtain or disclose identifiable health information face criminal prosecution. The negligent/unknowing tier (the lowest criminal threshold) applies to those who did not know they were violating HIPAA but acted recklessly. DOJ prosecutes these cases in coordination with OCR referrals and FBI health care fraud task forces.

Example: A hospital employee accesses the medical records of a celebrity patient out of curiosity and shares screenshots with friends. The employee did not know the specific HIPAA provision violated but understood the information was confidential. DOJ charges the employee with the negligent tier: $35,000 fine and 6 months probation.

Criminal Referral — Intent to Sell or Exploit PHI

Up to $250,000 fine + up to 10 years imprisonment

Annual max: Per criminal count; largest HIPAA criminal sentence

The most severe HIPAA criminal provision applies when PHI is obtained or disclosed with intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm. DOJ has prosecuted cases where employees sold PHI to identity thieves, law firms trolling for clients, or competing healthcare entities. Criminal penalties can include substantial prison time, making this the most consequential HIPAA enforcement pathway.

Example: A hospital registration employee sells PHI of 1,840 patients (name, date of birth, Social Security number, diagnosis codes) to an identity theft ring for $4,500. DOJ charges the employee with the highest criminal tier: convicted of 12 counts, sentenced to 42 months federal prison plus $160,000 in restitution.

How Penalties Are Calculated

When OCR determines willful neglect occurred, it must impose a CMP — there is no discretion to waive (42 U.S.C. § 17944(a)(1)). Penalty amount within the Tier 3/4 range is determined by OCR considering: (1) duration of non-compliance — multi-year violations receive higher penalties; (2) number of individuals affected; (3) scope of the violation (one facility vs. entire enterprise); (4) financial condition of the entity (OCR can adjust for ability to pay, but penalties cannot be reduced below the per-violation minimum); (5) history of prior violations; (6) degree of culpability and whether senior management was aware. Violations of multiple HIPAA provisions in the same investigation are stacked — each violation category has its own $2,134,831 annual maximum. A single enforcement action can result in penalties for Privacy Rule violations + Security Rule violations + Breach Notification Rule violations, each assessed independently. Criminal referrals to DOJ are made for cases involving PHI theft, sale, or exploitation — OCR and DOJ coordinate to ensure civil and criminal actions are timed to maximize deterrence.

Recent Enforcement Actions

2024 — Memorial Hospital at Gulfport (Mississippi)

Workforce members impermissibly accessed PHI of 2,625 patients; hospital failed to implement required workforce sanction policies and audit controls; violations persisted for 3+ years without correction

Penalty: $4,750,000 — Tier 4 (Willful Neglect, Not Corrected); mandatory CMP under 42 U.S.C. § 17944(a)(1); 2-year CAP

Source: HHS OCR Civil Money Penalty, March 2024

2023 — Montefiore Medical Center (New York)

Employee stole PHI of 12,517 patients and sold it to a medical identity theft ring; hospital's audit controls failed to detect the theft over multiple years

Penalty: $4,750,000 — Tier 4 (Willful Neglect, Not Corrected) for systemic audit control failures; separate criminal prosecution of employee

Source: HHS OCR Civil Money Penalty, October 2023

2023 — St. Joseph's Medical Center (New York)

Provided patients' PHI to film crew without obtaining required authorizations; PHI disclosed in news segments aired nationally; organization took no corrective action for 4 months after internal complaints

Penalty: $80,000 — Tier 3 (Willful Neglect, Corrected) after implementing required authorization policies; reflects correction within extended 30-day window

Source: HHS OCR Resolution Agreement, October 2023

2023 — Criminal prosecution — former hospital employee, Ohio

Employee downloaded PHI of 14,915 patients to a personal USB drive over 18 months; attempted to sell the data to a competitor healthcare organization

Penalty: 36 months federal prison + $50,000 fine — DOJ prosecution under 42 U.S.C. § 1320d-6 (intent to use for commercial advantage/personal gain)

Source: DOJ Press Release, Southern District of Ohio, 2023

Understand Your HIPAA Penalty Exposure

Use ComplianceStack's free tools to identify gaps before regulators do.

Take the Quiz → Gap Analyzer →

Frequently Asked Questions

How does OCR determine whether a violation is 'willful neglect' versus 'reasonable cause'?

OCR applies a subjective and objective test. Subjectively: was there conscious, intentional failure or reckless indifference? Evidence includes: prior warnings (OCR complaint letters, employee reports, audit findings), documented awareness of the requirement, resource allocation decisions that deprioritized compliance, and management statements indicating compliance was knowingly deferred. Objectively: would a reasonable covered entity in the same circumstances have complied? Factors include: the size and sophistication of the entity (a large hospital system has less excuse than a solo practitioner), availability of compliance resources, industry standards, and whether the violation was a novel interpretive question or a clear-cut requirement. 'Reckless indifference' is a key phrase — entities that do not actively investigate whether they are compliant, despite red flags, can be found willfully negligent without evidence that anyone consciously decided to violate HIPAA.

Can an organization reduce a Tier 4 penalty by self-reporting or cooperating with OCR?

OCR cannot reduce a Tier 4 penalty below the statutory minimum ($71,162 per violation) because OCR is required to impose CMPs for willful neglect — but OCR has discretion within the $71,162–$2,134,831 range. Cooperation, self-reporting, and prompt corrective action after discovery can meaningfully influence where in the range OCR assesses. Entities that self-report before OCR opens an investigation, cooperate fully with document production and interviews, and implement robust corrective actions quickly typically receive penalties at the lower end of the range ($71,162–$400,000 per violation category). Entities that contest OCR jurisdiction, obstruct investigations, or implement only superficial corrections risk penalties near the maximum. OCR's public resolution agreements show a correlation between cooperation quality and final penalty amount.

What is the difference between an OCR civil money penalty (CMP) and a resolution agreement?

A civil money penalty is a formal administrative penalty OCR imposes after an adjudication process — the entity has the right to request an informal review and formal hearing before an administrative law judge. A Resolution Agreement (RA) is a negotiated settlement in which the entity voluntarily agrees to pay a specified amount (often but not always less than the potential CMP maximum), implement a Corrective Action Plan (CAP), and submit to OCR oversight for 1–3 years. Most enforcement actions resolve via RA because: (1) the entity avoids the uncertainty of a formal hearing; (2) OCR can impose more comprehensive compliance requirements than a monetary CMP alone; (3) resolution is faster. OCR uses formal CMPs primarily when entities refuse to negotiate, contest jurisdiction, or in cases warranting the maximum deterrence signal. Both CMPs and RAs are publicly posted on OCR's website.