HIPAA Penalty Tiers Explained: Fines by Tier, Examples, and How to Stay Compliant

Overview of HIPAA Penalty Tiers

HIPAA civil penalties scale by culpability across four tiers, applied to each violation of the Privacy, Security, Breach Notification, or related Administrative Simplification standards. OCR—the HHS Office for Civil Rights—administers these civil penalties for any HIPAA covered entity or business associate, while the Department of Justice handles criminal enforcement. You can limit exposure by proving diligence (e.g., current risk analysis, sound PHI protection, and signed Business Associate Agreements) and by correcting issues fast once discovered. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html?utm_source=openai))

• Tier 1 (No Knowledge): You did not know—and, exercising reasonable diligence, could not have known—of the violation.
• Tier 2 (Reasonable Cause): A failure occurred despite reasonable care; it was not due to willful neglect.
• Tier 3 (Willful Neglect, Corrected): Willful neglect existed, but you corrected within the 30-day cure window after discovery.
• Tier 4 (Willful Neglect, Not Corrected): Willful neglect persisted beyond the cure window.

OCR may impose a corrective action plan (CAP) in settlements, require remediation, and still assess penalties. For severe or repeated violations, it can issue a Notice of Proposed Determination (NPD) and a Final Determination, subject to appeal before an HHS administrative law judge. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/part-160/subpart-D?utm_source=openai))

Penalty Amounts and Annual Adjustments

HHS updates HIPAA civil money penalty (CMP) maximums annually for inflation under 45 CFR part 102. For penalties assessed in 2026, agencies are using the 2025 inflation-adjusted amounts. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))

Current per-violation ranges and annual cap (post–Feb. 18, 2009 violations)

• Tier 1 (No Knowledge): $145–$73,011 per violation; $2,190,294 calendar-year cap for identical provisions. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))
• Tier 2 (Reasonable Cause): $1,461–$73,011 per violation; $2,190,294 annual cap. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))
• Tier 3 (Willful Neglect, Corrected): $14,602–$73,011 per violation; $2,190,294 annual cap. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))
• Tier 4 (Willful Neglect, Not Corrected): $73,011–$2,190,294 per violation; $2,190,294 annual cap. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))

Pre–Feb. 18, 2009 violations

• $198 per violation; $49,848 annual cap (administrative simplification provisions). ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))

Note: Penalty caps apply per calendar year for “all such violations of an identical provision.” Always confirm the latest figures in HHS’s annual CMP adjustment table before budgeting or responding to an enforcement notice. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))

Examples of Violations by Tier

Tier 1 (No Knowledge)

• A zero‑day exploit compromises a fully patched system despite strong technical safeguards and documented monitoring; you detect and contain it quickly.
• A business associate with whom you have a current BAA experiences an unforeseeable, promptly remediated incident and you respond per your incident plan.

Tier 2 (Reasonable Cause)

• A misdirected mailing or fax occurs due to a one‑off addressing error; policies, training, and verification steps exist but failed in this instance.
• Right of Access delays caused by process gaps with your release‑of‑information vendor; you fix the workflow on discovery.

Tier 3 (Willful Neglect, Corrected)

• Your risk analysis missed legacy endpoints; after an incident, you encrypt devices, implement MFA, and close gaps within the 30‑day cure period.
• You had overdue access reviews; once flagged, you immediately disable stale accounts and document the corrective action plan.

Tier 4 (Willful Neglect, Not Corrected)

• Ignoring repeated warnings to execute Business Associate Agreements for vendors handling ePHI.
• Declining to implement technical safeguards (e.g., encryption, audit logging, MFA) and failing to remediate after incidents or OCR inquiries.

Criminal Penalties for HIPAA Violations

Separate from civil CMPs, DOJ may prosecute certain wrongful acts under 42 U.S.C. § 1320d‑6. Maximum penalties include: up to $50,000 and 1 year; up to $100,000 and 5 years if under false pretenses; up to $250,000 and 10 years if for commercial advantage, personal gain, or malicious harm. OCR refers potential criminal matters to DOJ. ([uscode.house.gov](https://uscode.house.gov/quicksearch/get.plx?section=1320d-6&title=42&utm_source=openai))

Compliance Strategies to Avoid Penalties

Governance and contracts

• Designate privacy and security officers; maintain a sanctions policy; track and renew all Business Associate Agreements.
• Map data flows and designated record sets to anchor “minimum necessary” use and timely Right of Access fulfillment.

Risk analysis and risk management

• Perform an enterprise‑wide risk analysis at least annually and on major changes; keep a prioritized risk register tied to a remediation plan.
• Test incident response; document four‑factor breach risk assessments; meet breach notice timelines to individuals, HHS, and media where applicable. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Technical safeguards

• Encrypt ePHI at rest and in transit; require MFA; harden email security; segment networks; maintain immutable, tested backups; and enable audit logging with regular review. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/index.html?utm_source=openai))

Training and monitoring

• Provide role‑based HIPAA training (including access, breach response, and phishing awareness) and perform periodic access reviews with rapid de‑provisioning.

Enforcement Process and Recent Cases

How OCR enforces

• Intake: OCR reviews complaints, breach reports, and compliance reviews to determine jurisdiction and open investigations.
• Investigation: OCR requests information, evaluates safeguards, and may offer technical assistance or seek a voluntary resolution with a corrective action plan.
• Penalties: Failing informal resolution, OCR may issue an NPD and a Final Determination imposing CMPs; entities can request a hearing before an HHS ALJ. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html?utm_source=openai))

Key penalty factors OCR weighs

• Scope and duration of the violation; number of individuals affected; nature and extent of harm; prior compliance history; and financial condition. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.408?utm_source=openai))

Recent cases to watch

• Warby Parker (Feb. 20, 2025): $1.5M CMP after credential‑stuffing incidents and Security Rule failures; underscores risk analysis and audit control gaps. ([hhs.gov](https://www.hhs.gov/about/news/2025/02/20/hhs-imposes-1500000-penalty-against-warby-parker-hipaa-hacking.html))
• Oregon Health & Science University (Mar. 6, 2025): $200K CMP for Right of Access delays; access obligations extend to personal representatives. ([hhs.gov](https://www.hhs.gov/about/news/2025/03/06/hhs-office-civil-rights-imposes-200000-penalty-against-oregon-health-science-university-failure-provide-timely-access-patient-records.html))
• PIH Health (Jan. 28, 2025): $600K settlement and CAP following a phishing breach; highlights timely breach notification and ePHI monitoring. ([hhs.gov](https://www.hhs.gov/sites/default/files/ocr-hipaa-racap-pih.pdf))
• Four ransomware settlements (Apr. 23, 2026): OCR resolved four investigations totaling about $1.165M, emphasizing enterprise‑wide risk analysis and basic Security Rule controls. ([hhs.gov](https://www.hhs.gov/press-room/ocr-settles-four-ransomware-investigations.html?utm_source=openai))

Risk Mitigation and Whistleblower Protections

HIPAA prohibits intimidation or retaliation against anyone exercising HIPAA rights, assisting OCR, or opposing unlawful practices in good faith. Build clear, confidential reporting channels; investigate promptly; and document non‑retaliation. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.316?utm_source=openai))

HIPAA’s whistleblower provision also permits limited disclosures of PHI to a health oversight agency, public health authority, appropriate accreditor, or a workforce member’s attorney when reporting misconduct, provided disclosures follow 45 CFR 164.502(j). Train managers on these guardrails and keep disclosures no broader than necessary. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.502?utm_source=openai))

Conclusion

HIPAA penalty tiers align fines to fault—rising from “no knowledge” to “willful neglect.” The 2025 inflation‑adjusted CMP ranges remain in effect for 2026, and OCR’s recent actions show sustained focus on risk analysis, Right of Access, and ransomware readiness. If you maintain a living risk analysis, strengthen technical safeguards, keep BAAs current, and respond quickly with a durable corrective action plan, you materially reduce both the likelihood and the cost of enforcement. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))

FAQs

What are the different HIPAA penalty tiers?

Four tiers apply: (1) No Knowledge; (2) Reasonable Cause; (3) Willful Neglect that’s corrected within 30 days; and (4) Willful Neglect not corrected. Penalties are per violation and subject to an annual cap for identical provisions. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))

How are HIPAA fines calculated per violation?

OCR selects a per‑violation amount within the tier’s range and may stack violations where facts support it. It weighs factors such as scope, duration, harm, prior compliance, and financial condition before setting the final penalty and any corrective action plan. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.408?utm_source=openai))

What actions constitute willful neglect under HIPAA?

Willful neglect is a conscious, intentional failure or reckless indifference to HIPAA duties—for example, ignoring known gaps in encryption, skipping risk analysis for years, or refusing to execute Business Associate Agreements. Correcting within 30 days reduces exposure (Tier 3); failing to do so triggers Tier 4 levels. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/pdf/2026-01688.pdf))

How can organizations stay compliant with HIPAA regulations?

Maintain a current enterprise‑wide risk analysis and remediation plan; enforce technical safeguards like encryption, MFA, and logging; keep BAAs updated; train your workforce; and operationalize Right of Access and breach reporting timelines. These steps, combined with vigilant vendor oversight and tested incident response, demonstrate diligence if OCR investigates. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))