HIPAA violation fines can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general for failing to comply with HIPAA regulations . In this article, we provide a detailed explanation of HIPAA violation fines that have been imposed on HIPAA-regulated entities found to have violated the HIPAA Rules. You can also use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full compliance.
Please use the form on this page to arrange for your copy. The Majority Of HIPAA Violation Fines are from Settlements In the majority of cases, covered entities and business associates accept that there have been potential failures to comply with certain elements of HIPAA Rules, a settlement amount is agreed, and the case is resolved with no admission of liability.
In addition to the settlement, a corrective action plan is issued to address the HIPAA failures. HIPAA-covered entities and business associates may disagree with the findings of the investigation and challenge the decision to impose a penalty. In such cases, they are given the opportunity to provide evidence to support a waiver of the penalty.
If they are unsuccessful, a civil monetary penalty will be imposed. The civil monetary penalty will be more than the penalty they would pay if they settled the alleged violations. OCR cannot impose a corrective action plan when a civil monetary penalty is imposed.
While OCR issues fines for HIPAA violations, attorneys general often choose to pursue financial penalties against HIPAA-regulated entities under state laws rather than HIPAA. Actions for violations of state laws tend to be easier to win, and the penalty structure at the state level may even allow higher financial penalties to be issued. Only a handful of states have exercised their right under HIPAA/HITECH to file lawsuits to pursue financial penalties for violations of HIPAA Rules against HIPAA-covered entities and their business associates, although all states have participated in at least one multi-state action.
Penalty Structure for HIPAA Violations The penalty amounts are adjusted annually to account for the cost-of-living increases. The last update , published in the Federal Register on January 28, 2026, applies to all financial penalties imposed after November 2, 2015. The inflation multiplier for 2025 set by the Office of Management and Budget (OMB) was 1.
- While OMB states that the multiplier should be applied no later than January 15, 2025, the HHS determines that an exception applies, and typically applies the annual increases much later. For instance, the 2025 inflation multiplier was not applied for more than a year.
The current penalties for HIPAA violations in 2026 are detailed in the table below: Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit Tier 1 Reasonable Efforts $145 $73,011 $2,190,294 Tier 2 Lack of Oversight $1,461 $73,011 $2,190,294 Tier 3 Neglect – Rectified within 30 days $14,602 $73,011 $2,190,294 Tier 4 Neglect – Not Rectified within 30 days $73,011 $2,190,294 $2,190,294 *Table last updated on January 28, 2026, and includes the cost-of-living adjustment multiplier for 2025 (1.
02598). While the above table shows the official penalty amounts for HIPAA violations, OCR issued a Notice of Enforcement Discretion in April 2019 stating the annual penalty limits in three of the penalty tiers would be reduced following a reexamination of the language of the HITECH Act. The cap on the annual penalty limit was changed to $25,000 for tier 1, $100,000 for tier 2, and $250,000 for tier 3.
The maximum annual penalty for Tier 4 remains unchanged at $1,500,000. These caps are also subject to inflation increases. The table below was calculated by the HIPAA Journal, factoring in the annual inflation increases and applying OCR’s Notice of Enforcement Discretion.
The maximum penalty per violation in tier 1 is higher than the annual cap for that tier, as the notice of enforcement discretion only reduced the annual penalty cap, not the maximum penalty for a HIPAA violation. This discrepancy could be addressed when the new reinterpreted penalty structure is formally adopted through future rulemaking; however, the Notice of Enforcement Discretion will remain in effect indefinitely, although it is not legally binding and OCR can choose to rescind that Notice of Enforcement Discretion at any point.
Further rulemaking to officially adopt the reinterpreted requirements of the HITECH Act is unlikely, as OCR is pushing to have Congress increase the penalties for HIPAA violations to make them a more effective deterrent. Annual Penalty Limit Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Cap Tier 1 Lack of Knowledge $145 $36,505. 50 $36,505.
50 Tier 2 Reasonable Cause $1,461 $73,011 $146,053 Tier 3 Willful Neglect $14,602 $73,011 $365,052 Tier 4 Willful neglect (not corrected within 30 days $73,011 $2,190,294 $2,190,294 *Table last updated on January 28, 2026. State attorneys general can issue fines for HIPAA violations up to a maximum of $25,000 per violation category, per year. These penalties are also subject to annual adjustments for inflation.
Listed below are the HIPAA violation fines and settlements imposed by the HHS’ Office for Civil Rights since the HIPAA Enforcement Rule was signed into law, and enforcement actions by State Attorneys General for violations of the HIPAA Rules and equivalent state laws. 2026 HIPAA Violation Fines and Settlements The HHS’ Office for Civil Rights is continuing with its HIPAA right of access and risk analysis enforcement initiatives, and commenced the enforcement of the Part 2 regulations under its newly delegated responsibility on February 16, 2026.
The OCR Director has confirmed that in 2026, OCR will expand its risk analysis enforcement initiative to also include risk management.
Originally published at hipaajournal.com
