HIPAA Penalties: Maximum Civil and Criminal Fines Explained with Examples

Understanding HIPAA penalties helps you weigh risk, prioritize safeguards, and respond decisively when incidents occur. This guide explains the tiered civil penalties, criminal fine ranges and imprisonment, how HHS OCR enforcement works, and how penalty amounts are assessed and adjusted each year.

You’ll also see practical, numbers-based examples that show how annual penalty caps and willful neglect violations can quickly escalate exposure, plus steps that meaningfully reduce risk.

Civil Penalties Tiered System

How the tiers work

HIPAA uses Tiered Civil Penalties that scale with culpability. Each violation carries a per-violation dollar amount and a calendar-year cap for identical violations. The tiers are:

• Tier 1 — No Knowledge: You did not know, and by exercising reasonable diligence would not have known, of the violation.
• Tier 2 — Reasonable Cause: There was a violation despite reasonable cause, but not willful neglect.
• Tier 3 — Willful Neglect, Corrected: Willful neglect occurred, but you corrected it within the required timeframe.
• Tier 4 — Willful Neglect, Not Corrected: Willful neglect occurred and you failed to correct in time. These willful neglect violations trigger the highest penalties.

Core dollar framework

By statute, per-violation amounts range from a minimum in Tier 1 up to $50,000 per violation, with Annual Penalty Caps that rise by tier; the highest tier’s cap is up to $1,500,000 per calendar year for identical violations. These figures are subject to Penalty Inflation Adjustment each year, so the exact current-year amounts may be higher than the baseline figures.

How fines add up

• Each day a violation persists can count as a separate violation.
• “Identical violations” (e.g., the same provision violated repeatedly) aggregate toward the annual cap.
• OCR may resolve matters via settlement or corrective action plan; formal civil monetary penalties (CMPs) follow the tiered schedule.

Example

A business associate misconfigures a cloud bucket, exposing ePHI for 20 days. OCR finds Tier 2 (reasonable cause). If OCR assigns a mid-range per-violation figure and counts each day as one violation, the total can climb rapidly but cannot exceed the Tier 2 annual cap for identical violations. If the entity had ignored warnings and failed to fix the issue, OCR could classify it as Tier 4 and apply the highest annual cap.

Criminal Penalties and Imprisonment

Criminal fine ranges

Separate from civil CMPs, the Department of Justice enforces criminal provisions where conduct crosses into intentional misuse of PHI. Criminal Fine Ranges and imprisonment terms depend on intent:

• Knowingly obtaining or disclosing PHI in violation of HIPAA: up to $50,000 and up to 1 year in prison.
• Under false pretenses: up to $100,000 and up to 5 years in prison.
• With intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm: up to $250,000 and up to 10 years in prison.

Example

A workforce member accesses patient records without authorization and sells them to a third party. Because the intent is commercial gain, prosecutors may charge the highest tier, exposing the individual to up to $250,000 in fines and up to 10 years’ imprisonment.

Penalty Assessment Process

From incident to outcome

• Trigger: A complaint, breach report, audit, or compliance review prompts OCR’s inquiry.
• Investigation: OCR requests documents, interviews witnesses, and analyzes safeguards, policies, training, and technical controls.
• Findings: OCR applies the tiered framework and evaluates aggravating/mitigating factors to determine per-violation amounts and Annual Penalty Caps.
• Resolution: Many matters end with voluntary compliance, a Corrective Action Plan (CAP), and monitoring. If unresolved, OCR issues a Notice of Proposed Determination and may impose a CMP after administrative process.
• Appeals: Entities can request a hearing before an administrative law judge and appeal within HHS.

Example

Following a ransomware incident affecting 12,000 records, OCR reviews risk analysis, patching cadence, MFA deployment, and incident response. Strong documentation, rapid containment, and timely breach notification can shift the outcome from higher-tier penalties to a CAP with lower financial exposure.

Mitigating Factors in Penalties

What reduces exposure

• Timely correction: If a violation is not due to willful neglect and is corrected within the statutory window, OCR may decline to impose a CMP.
• Scope and duration: Fewer individuals affected and shorter exposure windows reduce per-violation amounts.
• Harm: Limited clinical, financial, or reputational harm mitigates penalties.
• History and culture: A strong compliance program, prior clean history, and demonstrable reasonable diligence weigh in your favor.
• Financial condition: OCR may consider ability to pay when setting CMPs.

Example

A clinic discovers a misdirected mailing, self-reports within days, documents staff retraining, and tightens address-verification controls. Because the issue was not willful neglect and was promptly corrected, OCR may resolve it with technical assistance or a modest settlement rather than a formal CMP.

Enforcement Discretion by HHS

HHS has exercised Enforcement Discretion to align penalties with culpability and to promote good-faith compliance. Notably, OCR announced tier-specific Annual Penalty Caps for HIPAA CMPs, setting lower caps for the first three tiers and retaining the highest cap for willful neglect not corrected. OCR has also, at times, announced temporary enforcement discretion during declared emergencies to prioritize access to care while still expecting reasonable safeguards.

Enforcement discretion is not a waiver of HIPAA. It adjusts how HHS OCR enforcement prioritizes and caps penalties, especially where entities act in good faith and remediate quickly.

Annual Penalty Adjustments

Under the federal Penalty Inflation Adjustment framework, HIPAA civil penalty amounts (per-violation minimums and maximums and the annual caps) are updated each year to account for inflation. New amounts typically take effect early in the calendar year and apply to penalties assessed after the effective date.

• Plan and budget using the current-year schedule; do not assume last year’s dollar amounts still apply.
• Document in investigations and board materials which year’s schedule you used, since Annual Penalty Caps increase over time.
• Update policies, training, and risk analyses to reflect rising financial exposure.

Example

After a January update, the adjusted per-violation minimums increase. An entity facing 40 identical Tier 2 violations now hits the updated annual cap sooner than it would have the prior year, raising total exposure for the same fact pattern.

Enforcement Agencies and Compliance Importance

Who enforces what

• HHS OCR Enforcement: Investigates complaints, breach reports, and compliance reviews; negotiates settlements and CAPs; imposes CMPs when necessary.
• Department of Justice: Prosecutes criminal HIPAA cases involving knowing misuse of PHI.
• State Attorneys General: May bring civil actions to protect residents’ privacy and security under HIPAA and state law.

Why compliance pays

Robust governance cuts risk across all tiers. Prioritize an enterprise-wide risk analysis, encryption and access controls, audit logging, workforce training, vendor due diligence and business associate agreements, and a rehearsed incident response plan. These measures lower the likelihood of violations and position you for a more favorable outcome if OCR investigates.

FAQs.

What is the maximum civil fine for a HIPAA violation?

The civil framework allows up to $50,000 per violation, with an annual penalty cap up to $1,500,000 for identical violations in the highest tier (willful neglect not corrected). Because of the Penalty Inflation Adjustment, current-year caps and per-violation amounts may be higher than these baseline figures.

What are the criminal penalties for HIPAA violations?

Criminal penalties depend on intent: up to $50,000 and 1 year for knowing violations; up to $100,000 and 5 years for false pretenses; and up to $250,000 and 10 years when done for commercial advantage, personal gain, or malicious harm. These apply to individuals who knowingly misuse PHI.

How does enforcement discretion affect penalties?

HHS OCR’s enforcement discretion aligns Annual Penalty Caps with culpability—lower caps for less blameworthy conduct and the highest cap for willful neglect not corrected—and may prioritize education and corrective action where entities act in good faith. Discretion does not eliminate liability; it shapes how OCR assesses and caps penalties.

How are HIPAA penalties calculated?

OCR selects a tier based on culpability, sets a per-violation amount within that tier’s range, and applies the calendar-year cap for identical violations. The total reflects factors like scope, duration, harm, remediation speed, history, and financial condition, then is adjusted for the current year’s inflation schedule.