HIPAA Penalties Are Increasing: New Fine Amounts and How to Stay Compliant

HIPAA Penalty Structure

HIPAA’s Enforcement Rule uses four HIPAA violation tiers tied to the organization’s level of culpability, with inflation‑adjusted minimum and maximum fines per violation and an annual cap per identical requirement or prohibition. The Office for Civil Rights (OCR) considers factors such as the nature and extent of the violation, number of individuals affected, and prior compliance history when setting the amount. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html?utm_source=openai))

The four HIPAA violation tiers

• Tier 1: No knowledge—violations the entity did not know about and could not have known with reasonable diligence.
• Tier 2: Reasonable cause—violations due to reasonable cause and not willful neglect.
• Tier 3: Willful neglect, corrected within 30 days—violations due to willful neglect but corrected in the required time.
• Tier 4: Willful neglect, not corrected—violations due to willful neglect and not corrected in the required time.

The 2026 figures below apply to penalties assessed on or after January 28, 2026 for violations occurring on or after November 2, 2015. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))

Tier 1 Penalties

For Tier 1 (no knowledge), the new fine amounts are:

• Minimum per violation: $145
• Maximum per violation: $73,011
• Annual cap (per identical provision): $2,190,294

Maintaining documented “reasonable diligence” (for example, through sound HIPAA risk analysis requirements and HIPAA security rule compliance) helps keep incidents in this lowest culpability tier. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))

Tier 2 Penalties

For Tier 2 (reasonable cause), the new fine amounts are:

• Minimum per violation: $1,461
• Maximum per violation: $73,011
• Annual cap (per identical provision): $2,190,294

Common drivers here include gaps such as incomplete training, unaddressed misconfigurations, or delayed updates—issues you can prevent with disciplined policies, technical controls, and documented HIPAA audit procedures. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))

Tier 3 Penalties

For Tier 3 (willful neglect corrected within 30 days), the new fine amounts are:

• Minimum per violation: $14,602
• Maximum per violation: $73,011
• Annual cap (per identical provision): $2,190,294

Rapid remediation, prompt notice, and a written HIPAA corrective action plan can keep a willful‑neglect finding in Tier 3 rather than escalating to Tier 4. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))

Tier 4 Penalties

For Tier 4 (willful neglect not corrected within 30 days), the new fine amounts are:

• Minimum per violation: $73,011
• Maximum per violation: $2,190,294
• Annual cap (per identical provision): $2,190,294

Tier 4 reflects the most serious compliance breakdowns—ignoring known risks or failing to correct them—which bring the steepest exposure. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))

Annual Adjustments and Inflation

HHS updates civil monetary penalties annually using the CPI‑U inflation adjustment under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. For the 2026 schedule, HHS applied OMB’s 2025 cost‑of‑living multiplier of 1.02598 to the prior amounts and made the new figures effective upon publication on January 28, 2026. ([whitehouse.gov](https://www.whitehouse.gov/wp-content/uploads/2024/12/M-25-02.pdf?utm_source=openai))

Effective dates and scope

The 2026 amounts apply to penalties assessed on or after January 28, 2026, for violations that occurred on or after November 2, 2015. If a violation predates that, earlier schedules may apply. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))

Note on OCR’s 2019 enforcement discretion

Although the inflation‑adjusted annual cap shown in the Federal Register is $2,190,294 for each tier, OCR has—since April 2019—exercised enforcement discretion to apply lower annual caps for Tiers 1–3. That policy remains in effect unless and until superseded by rulemaking, so OCR may cap annual penalties for less‑culpable tiers below the published maximum. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2019-04-30/pdf/2019-08530.pdf?utm_source=openai))

Compliance Recommendations for HIPAA

Build a defensible compliance program

• Perform and document an enterprise‑wide HIPAA risk analysis, update it at least annually and after major changes, and track risk treatment to completion.
• Strengthen HIPAA security rule compliance: access controls and least privilege, multi‑factor authentication, encryption of ePHI, rapid patching, network segmentation, and continuous audit logging.
• Document HIPAA audit procedures: periodic access reviews, log review cadence, configuration baselines, and targeted sampling of high‑risk workflows.
• Right of Access readiness: standardize intake, verification, and fulfillment; enforce timeframes; and monitor turnaround metrics.
• Third‑party oversight: maintain current business associate agreements, verify safeguards, and map data flows to detect shadow vendors.
• Workforce training and accountability: role‑based training, phishing simulations, and a graduated sanctions policy.
• Incident response and breach notification: test playbooks, practice tabletop exercises, and keep decision trees for encryption status and notification triggers.
• Proactive HIPAA corrective action plans: treat audit findings as a prioritized improvement backlog with owners, budgets, and deadlines.

Key takeaways

HIPAA penalties are rising with inflation, and Tier 4 exposure is substantial. Keep violations in the lower HIPAA violation tiers by proving reasonable diligence, closing risks quickly, and documenting every safeguard, review, and remediation step.

FAQs

What are the new HIPAA penalty amounts?

For penalties assessed on or after January 28, 2026: Tier 1 is $145–$73,011 per violation (annual cap $2,190,294); Tier 2 is $1,461–$73,011 (cap $2,190,294); Tier 3 is $14,602–$73,011 (cap $2,190,294); and Tier 4 is $73,011–$2,190,294 (cap $2,190,294). These are inflation‑adjusted under the latest HHS final rule. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))

How often are HIPAA penalties adjusted for inflation?

Annually. OMB issues a CPI‑U‑based multiplier each year (1.02598 for the 2025 cycle), and HHS applies it to update penalty amounts; the 2026 schedule took effect upon publication on January 28, 2026. ([whitehouse.gov](https://www.whitehouse.gov/wp-content/uploads/2024/12/M-25-02.pdf?utm_source=openai))

What steps can organizations take to remain HIPAA compliant?

Conduct a current, documented risk analysis; implement Security Rule safeguards; run disciplined audit procedures; ensure Right of Access timeliness; manage vendors with BAAs and security reviews; train your workforce; and maintain tested incident‑response plans and corrective action plans.

What are the consequences of willful neglect under HIPAA?

Willful neglect that is corrected within 30 days falls in Tier 3 ($14,602–$73,011 per violation; cap $2,190,294). Willful neglect not corrected within 30 days is Tier 4, with a minimum of $73,011 per violation, up to $2,190,294 per violation and per‑provision annual cap—the most severe civil exposure. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))