HIPAA Violation Fine Amounts: Penalties by Tier, Per Violation, and Annual Caps

Overview of HIPAA Penalty Tiers

HIPAA civil money penalties (CMPs) are assessed by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) based on four levels of culpability. Fines are set per violation and are also subject to annual penalty caps for “identical provisions” within a calendar year. OCR evaluates facts such as knowledge, reasonable diligence, and whether you corrected issues within 30 days. The amounts are codified in 45 CFR 160.404 and adjusted annually at 45 CFR 102.3.

• Tier 1: Lack of knowledge violation (you could not have known, even with reasonable diligence).
• Tier 2: Reasonable cause violation (noncompliance despite reasonable cause, but not willful neglect).
• Tier 3: Willful neglect penalty where the violation is corrected within 30 days.
• Tier 4: Willful neglect penalty where the violation is not corrected within 30 days.

Since April 2019, OCR has applied Office for Civil Rights enforcement discretion that lowers the annual caps for Tiers 1–3, while keeping per-violation amounts unchanged. That discretion remains in effect unless superseded by rulemaking. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.404?utm_source=openai))

Tier 1 Violation Fines

Tier 1 (lack of knowledge violation): minimum $141 and maximum $71,162 per violation, with an official annual cap of $2,134,831 for identical provisions. Under OCR’s enforcement discretion, the annual cap for Tier 1 is reduced to $35,581 (2024), effectively capping a single Tier 1 penalty at that level. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/102.3?utm_source=openai))

Tier 2 Violation Fines

Tier 2 (reasonable cause violation): minimum $1,424 and maximum $71,162 per violation, with an official annual cap of $2,134,831. OCR’s enforcement discretion lowers the Tier 2 annual cap to $142,355 (2024) for identical provisions within the calendar year. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/102.3?utm_source=openai))

Tier 3 Violation Fines

Tier 3 (willful neglect penalty, corrected within 30 days): minimum $14,232 and maximum $71,162 per violation, with an official annual cap of $2,134,831. Under enforcement discretion, the Tier 3 annual cap is $355,808 (2024) per identical provision category. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/102.3?utm_source=openai))

Tier 4 Violation Fines

Tier 4 (willful neglect penalty, not corrected within 30 days): minimum $71,162 per violation and a maximum of $2,134,831 per violation; the annual cap is also $2,134,831. OCR’s enforcement discretion does not reduce Tier 4 caps. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/102.3?utm_source=openai))

Annual Cap and Inflation Adjustments

HHS applies cost-of-living updates to HIPAA CMPs through an annual rule that updates 45 CFR 102.3. The latest published adjustment (effective August 8, 2024) set the current per-violation and annual caps cited above; it applies to penalties assessed on or after that date for violations occurring on or after November 2, 2015. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS_FRDOC_0001-0954/content.htm?utm_source=openai))

Each year’s increase uses the HIPAA inflation adjustment multiplier issued by OMB. For 2025, OMB set a multiplier of 1.02598; agencies apply it when they issue their annual CMP updates. Until HHS publishes its 2025 update, the August 8, 2024 amounts remain the operative figures. ([regulations.justia.com](https://regulations.justia.com/regulations/fedreg/2025/06/17/2025-10963.html?utm_source=openai))

Remember: official annual penalty caps in 45 CFR 102.3 are distinct from OCR’s enforcement-discretion caps for Tiers 1–3. The latter remain lower (e.g., $35,581; $142,355; and $355,808 for 2024) and are used by OCR when assessing penalties, while Tier 4 retains the full cap. ([hipaajournal.com](https://www.hipaajournal.com/2024-civil-monetary-penalties-hipaa-violations/?utm_source=openai))

State Attorneys General Enforcement

State attorneys general may bring HIPAA actions in federal court to enjoin violations and seek statutory damages on behalf of residents: up to $100 per violation, capped at $25,000 per calendar year for all violations of an identical requirement or prohibition, plus costs and attorney fees. These “state attorney general HIPAA fines” supplement (not replace) OCR enforcement and may be pursued alongside state privacy statutes with their own penalties. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/42/1320d-5?utm_source=openai))

Bottom line: HIPAA violation fine amounts scale with culpability, are assessed per violation, and are constrained by annual caps that adjust for inflation. OCR’s 2019 discretion lowers annual caps for less culpable tiers, while the most severe Tier 4 keeps the full cap—making timely correction and strong compliance programs your best risk controls. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/pmi-npd/index.html?utm_source=openai))

FAQs

What determines the penalty tier for a HIPAA violation?

The tier hinges on culpability and remediation: whether you knew or reasonably could have known of the violation, whether it stemmed from reasonable cause or willful neglect, and whether you corrected it within 30 days. These criteria drive both per-violation fines and applicable annual caps. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.404?utm_source=openai))

How are annual caps on HIPAA fines calculated?

Annual caps apply to “identical provisions” within a calendar year and are set in 45 CFR 102.3, with inflation updates. OCR currently applies lower caps for Tiers 1–3 under its 2019 enforcement discretion, while Tier 4 keeps the full cap. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/102.3?utm_source=openai))

Can state attorneys general impose HIPAA fines?

They can bring civil actions in federal court to obtain statutory damages—up to $100 per violation, capped at $25,000 per identical provision per year—plus injunctive relief and attorney fees. This authority is in addition to, not a substitute for, OCR’s federal enforcement. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/42/1320d-5?utm_source=openai))

What is enforcement discretion in HIPAA penalty assessments?

It is OCR’s policy choice, announced in 2019, to apply lower annual caps for Tiers 1–3 than those in regulation, aligning caps with the HITECH Act’s tiered structure. The policy remains in effect unless replaced by rulemaking, and the amounts are adjusted annually for inflation. ([mwe.com](https://www.mwe.com/insights/ocr-corrects-past-misinterpretation-of-hipaa-annual-penalty-limits-signaling-potential-relief-for-entities-facing-enforcement/?utm_source=openai))