HIPAA Enforcement Fines Explained: Penalty Amounts, Tiers, and Recent OCR Actions

Overview of HIPAA Violation Penalty Tiers

HIPAA establishes four penalty tiers that scale with culpability. You are fined per violation, and separate caps can apply across “identical” violations within a calendar year. The basic tier definitions live in the HIPAA Enforcement Rule and are applied case-by-case by the HHS Office for Civil Rights (OCR). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.404?utm_source=openai))

Tier 1 — Lack of knowledge

You did not know and, by exercising reasonable diligence, would not have known that a violation occurred. This is the least culpable category under HIPAA penalty tiers. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.404?utm_source=openai))

Tier 2 — Reasonable cause

A violation occurred due to reasonable cause and not willful neglect—for example, a process gap despite good-faith efforts to comply. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.404?utm_source=openai))

Tier 3 — Willful neglect (corrected within 30 days)

You failed to comply due to willful neglect but corrected the issue within the required 30-day window after discovery. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.404?utm_source=openai))

Tier 4 — Willful neglect (not corrected within 30 days)

You failed to comply due to willful neglect and did not correct the issue within 30 days. This tier carries the highest exposure. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.404?utm_source=openai))

Current inflation-adjusted ranges

HHS publishes annual, inflation-adjusted minimums, maximums, and calendar-year caps at 45 CFR 102.3. As last codified for 2024, per-violation minimums and maximums range from $141 to $71,162 in Tiers 1–3, and from $71,162 to $2,134,831 in Tier 4; the calendar-year cap shown in the table is $2,134,831. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/102.3?utm_source=openai))

Important: In April 2019, OCR announced an enforcement discretion that revises the annual caps for Tiers 1–3 (from $1.5 million to $25,000, $100,000, and $250,000, respectively), while Tier 4 remains $1.5 million, with all caps subject to annual inflation. OCR has stated it will apply these lower caps, as adjusted for inflation, until it completes rulemaking. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/american-medical-response-npd/index.html))

Annual Penalty Inflation Adjustments

HIPAA civil money penalties adjust each year using an inflation adjustment multiplier tied to CPI-U for October-to-October changes. Agencies apply the multiplier to the prior year’s amounts and round to the nearest dollar. The adjustments are then codified by HHS at 45 CFR 102.3. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/102.3?utm_source=openai))

The 2025 inflation adjustment multiplier

OMB Memorandum M-25-02 set the 2025 multiplier at 1.02598 (i.e., a 2.598% increase based on October 2024 vs. October 2023 CPI-U). Agencies use this factor to update civil penalty schedules for assessments in 2025. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-29/html/2025-01633.htm?utm_source=openai))

How to interpret the adjusted figures

• Regulatory tables: The official HHS table (45 CFR 102.3) shows the most recent codified numbers. As of the last update for 2024, HIPAA entries list the $141/$71,162 per-violation range and $2,134,831 calendar-year cap. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/102.3?utm_source=openai))
• OCR enforcement discretion: For calendar-year caps, OCR’s 2019 enforcement discretion lowers annual caps in Tiers 1–3 (subject to the same annual multiplier), even if the 45 CFR 102.3 table still displays the pre-discretion uniform cap. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/american-medical-response-npd/index.html))

OCR Notice of Enforcement Discretion

2019 cap recalibration for HIPAA penalty tiers

On April 30, 2019, OCR issued a Notification of Enforcement Discretion clarifying that annual penalty caps should reflect culpability. OCR applies lower annual caps for Tiers 1–3 ($25,000, $100,000, and $250,000, respectively), while Tier 4 remains $1.5 million, with all caps indexed for inflation. This discretion remains in effect pending formal rulemaking. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/american-medical-response-npd/index.html))

COVID-19 telehealth discretion (now expired)

During the COVID-19 public health emergency (PHE), OCR announced enforcement discretion for good-faith telehealth uses of non–public-facing tools. The PHE-related Notices of Enforcement Discretion expired at 11:59 p.m. on May 11, 2023, with a 90-day transition through 11:59 p.m. on August 9, 2023, after which standard HIPAA rules again applied. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS-OS-2024-0001-0005/content.htm?utm_source=openai))

Factors Influencing HIPAA Penalty Assessments

OCR calculates fines within a tier by weighing specific factors set in regulation. Understanding these can materially affect your exposure and negotiation posture. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.408?utm_source=openai))

Violation duration impact

OCR considers the time period of noncompliance; longer durations generally increase penalties. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.408?utm_source=openai))

Data breach severity

OCR weighs the nature and extent of harm, including physical, financial, reputational harm, and whether care was hindered. Larger breach scope and sensitive data types can elevate penalties. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.408?utm_source=openai))

Prior violation history

History of prior compliance and responsiveness to past OCR technical assistance matters. Repeat or similar issues are aggravating. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.408?utm_source=openai))

Financial condition consideration

OCR may consider your size, financial distress, and whether a penalty would jeopardize your ability to deliver care or continue operations. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.408?utm_source=openai))

Other justice factors

OCR can account for corrective actions, cooperation, and any “other matters as justice may require” when setting HIPAA enforcement fines. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.408?utm_source=openai))

Summary of Recent OCR Enforcement Actions

OCR’s 2025 activity underscores recurring themes: complete a Security Rule risk analysis, manage third-party risk, meet breach notification timelines, and honor the right of access. Below is a concise snapshot (dates in 2025):

• Mar 21 — Health Fitness Corporation (business associate): settlement under OCR’s Risk Analysis Initiative. ([hhs.gov](https://www.hhs.gov/press-room/ocr-settles-hipaa-security-rule-investigation-health-fitness-corporation.html?utm_source=openai))
• Apr 10 — Northeast Radiology (provider): Security Rule settlement; Risk Analysis Initiative continues. ([hhs.gov](https://www.hhs.gov/press-room/hhs-ocr-hipaa-settlement-nerad.html?utm_source=openai))
• Apr 17 — Guam Memorial Hospital Authority (public hospital): ransomware-related settlement; OCR’s 11th ransomware action. ([hhs.gov](https://www.hhs.gov/press-room/hhs-ocr-hipaa-recap-gmha.html?utm_source=openai))
• Apr 23 — PIH Health, Inc.: $600,000 settlement for phishing breach impacting nearly 200,000 individuals; two-year corrective action plan. ([hhs.gov](https://www.hhs.gov/press-room/ocr-hipaa-racap-pih.html))
• Apr 25 — Comprehensive Neurology, PC (small practice): ransomware settlement; small entities remain in scope. ([hhs.gov](https://www.hhs.gov/press-room/ocr-hipaa-racap-np.html?utm_source=openai))
• May 15 — Vision Upright MRI (small provider): PACS server exposure of 21,778 medical images; settlement and corrective action plan. ([hhs.gov](https://www.hhs.gov/press-room/hhs-hipaa-investigate-vum.html?utm_source=openai))
• May 28 — BayCare Health System (Florida): settlement tied to malicious insider access; Security Rule issues. ([hhs.gov](https://www.hhs.gov/press-room/hhs-ocr-hipaa-agreement-baycare.html?utm_source=openai))
• May 30 — Comstar, LLC (business associate): ransomware settlement following breach affecting 585,621 individuals; risk analysis deficiencies cited. ([hhs.gov](https://www.hhs.gov/press-room/hhs-hipaa-comstar-agreement.html))
• Aug 18 — BST & Co. CPAs, LLP (business associate): ransomware settlement; OCR notes continued focus on third parties. ([hhs.gov](https://www.hhs.gov/press-room/hhs-ocr-bst-hipaa-settlement.html?utm_source=openai))
• Mar 6 — Oregon Health & Science University: $200,000 civil money penalty under the Right of Access initiative. ([hhs.gov](https://www.hhs.gov/press-room/penalty-against-or-health-science-university.html?utm_source=openai))

Key takeaways

• Maintain a living Security Risk Analysis and risk management plan; many settlements cite gaps here.
• Monitor business associates closely; several 2025 cases involved third parties handling PHI.
• Honor access requests and breach notification deadlines; OCR continues targeted enforcement.
• Expect incremental increases annually due to the inflation adjustment multiplier, and remember OCR’s updated annual caps under its enforcement discretion when scoping exposure. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-29/html/2025-01633.htm?utm_source=openai))

FAQs

What are the different HIPAA penalty tiers?

They are four culpability-based HIPAA penalty tiers: (1) lack of knowledge; (2) reasonable cause; (3) willful neglect corrected within 30 days; and (4) willful neglect not corrected within 30 days. OCR applies per-violation minimums/maximums and calendar-year caps, adjusted for inflation and subject to OCR’s 2019 enforcement discretion on annual caps. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.404?utm_source=openai))

How are annual penalty amounts adjusted for inflation?

Each year, agencies apply an OMB-issued inflation adjustment multiplier (based on October-to-October CPI-U) to the prior year’s penalties and round to the nearest dollar; HHS then codifies the new amounts at 45 CFR 102.3. For 2025, OMB set the multiplier at 1.02598. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-29/html/2025-01633.htm?utm_source=openai))

What factors does OCR consider when determining fines?

OCR weighs the violation’s nature and extent (including the time period), the nature and extent of harm, your prior violation history and responsiveness, your financial condition (including whether a penalty would jeopardize care), and other justice factors. These directly influence your final fine within the applicable tier. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.408?utm_source=openai))

What recent enforcement actions has OCR taken?

In 2025, OCR announced multiple settlements touching ransomware, phishing, insider access, and risk analysis failures—against hospitals, small practices, and business associates alike (e.g., PIH Health, Comstar, Vision Upright MRI, BayCare, Health Fitness, BST & Co., and others). These actions reinforce security risk analysis, vendor oversight, timely notifications, and right-of-access compliance as enforcement priorities. ([hhs.gov](https://www.hhs.gov/press-room/ocr-hipaa-racap-pih.html))