Maximum Fine for HIPAA Violation: Comprehensive Compliance Guide and Requirements

Civil Penalties Structure

HIPAA’s civil money penalties follow four HIPAA Tier penalties created by the HITECH Act. OCR enforcement applies these tiers based on culpability and corrective action, and penalty amounts are inflation-adjusted through HHS penalty adjustments. The figures below reflect the most recent published amounts and current enforcement discretion used by OCR in practice. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.404?utm_source=openai))

Four tiers at a glance

• Tier 1 – Lack of knowledge: 2024 inflation-adjusted minimum $141; official per‑violation maximum $71,162; under enforcement discretion, the practical annual cap for identical provisions is $35,581 (which effectively caps any single violation at that amount). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/102.3?utm_source=openai))
• Tier 2 – Reasonable cause: 2024 minimum $1,424; official per‑violation maximum $71,162; enforcement discretion annual cap $142,355. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/102.3?utm_source=openai))
• Tier 3 – Willful neglect, corrected within 30 days: 2024 minimum $14,232; official per‑violation maximum $71,162; enforcement discretion annual cap $355,808. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/102.3?utm_source=openai))
• Tier 4 – Willful neglect, not corrected: 2024 minimum $71,162; maximum per violation $2,134,831; annual cap $2,134,831. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/102.3?utm_source=openai))

OCR announced in April 2019 that, pending rulemaking, it would use lower annual caps for Tiers 1–3 (commonly referred to as enforcement discretion). Thus, “state-of-practice” caps differ from the uniform caps in 45 CFR 102.3. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/american-medical-response-npd/index.html?utm_source=openai))

What is the maximum civil fine now?

For civil penalties, the maximum fine for a HIPAA violation arises in Tier 4: $2,134,831 per violation and per calendar year for identical provisions, for penalties assessed on or after August 8, 2024 (until superseded by HHS’s next annual adjustment). ([downloads.regulations.gov](https://downloads.regulations.gov/HHS_FRDOC_0001-0954/content.htm?utm_source=openai))

Because OCR’s enforcement discretion sets much lower annual caps for Tiers 1–3, the practical ceiling in those tiers is $35,581, $142,355, and $355,808 respectively (2024 values). This approach reflects HITECH Act alignment between culpability and penalty exposure and is commonly applied in OCR enforcement. ([hipaajournal.com](https://www.hipaajournal.com/2024-civil-monetary-penalties-hipaa-violations/?utm_source=openai))

Note: Settlements for PHI breach fines via resolution agreements are negotiated and may not mirror these ceilings; CMPs (civil money penalties) follow the statutory and adjusted limits shown here. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/2024-april/index.html?utm_source=openai))

Criminal Penalties Overview

Separate from OCR civil penalties, the Department of Justice prosecutes HIPAA crimes under 42 U.S.C. § 1320d‑6. Penalties scale with intent: up to $50,000 and 1 year for simple wrongful disclosure; up to $100,000 and 5 years if under false pretenses; and up to $250,000 and 10 years when for commercial advantage, personal gain, or malicious harm. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/42/1320d-6?utm_source=openai))

Criminal exposure can apply to employees or individuals as well as organizations and often accompanies other federal offenses when ePHI is misused. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/42/1320d-6?utm_source=openai))

Enforcement and Compliance Procedures

OCR enforcement starts with complaints, breach reports, or compliance reviews. OCR requests information, analyzes security and privacy controls, and may resolve matters with technical assistance, a resolution agreement with a corrective action plan (CAP), or civil money penalties. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol-edited/index.html?utm_source=openai))

From investigation to penalties

• Letter of Opportunity and review: OCR invites evidence of mitigating factors, affirmative defenses, or waiver grounds before proposing a CMP. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gulf-coast-pain-consultants-npd/index.html?utm_source=openai))
• Notice of Proposed Determination (NPD): If OCR proposes a CMP, the NPD states findings, legal basis, and the amount, referencing the applicable HIPAA Tier penalties and 45 CFR 160.404. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.420?utm_source=openai))
• Right to hearing: The entity has 90 days to request a hearing before an ALJ; otherwise, OCR may impose the CMP. Appeals follow HHS Departmental Appeals Board procedures. ([hhs.gov](https://www.hhs.gov/about/agencies/dab/different-appeals-at-dab/appeals-to-board/guidelines/civil-money/index.html?utm_source=openai))
• Final determination or settlement: Entities may settle via CAPs or pay the CMP; OCR posts notices of final determination. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/pmi-nfd/index.html?utm_source=openai))

OCR enforcement emphasizes risk analysis, access rights, and breach prevention, with recent actions highlighting ransomware preparation and security gaps. ([hhs.gov](https://www.hhs.gov/press-room/ocr-hipaa-racap-np.html?utm_source=openai))

Annual Penalty Adjustments

HHS updates civil penalty amounts annually under the Federal Civil Penalties Inflation Adjustment Act. The 2024 HHS rule (effective August 8, 2024) updated HIPAA CMPs; the adjusted amounts apply to penalties assessed on or after that date for violations occurring on or after November 2, 2015. Current figures appear in 45 CFR 102.3 and serve as the official reference for OCR enforcement. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS_FRDOC_0001-0954/content.htm?utm_source=openai))

In practice, OCR enforcement discretion continues to apply lower annual caps for Tiers 1–3 until HHS completes rulemaking, so organizations should account for both the official adjusted amounts and OCR’s stated approach when assessing risk. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/american-medical-response-npd/index.html?utm_source=openai))

State Attorney General Enforcement

State attorneys general can bring actions for HIPAA violations affecting their residents, seeking injunctions and state-level HIPAA fines. Statutory damages may be up to $100 per violation, capped at $25,000 per calendar year for violations of an identical requirement, with attorneys’ fees at the court’s discretion; SAGs must give prior notice to HHS, which may intervene. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/42/1320d-5?utm_source=openai))

This added layer of OCR enforcement means multi‑state PHI breach fines are possible when incidents span jurisdictions. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/42/1320d-5?utm_source=openai))

Penalty Calculation Factors

OCR tailors penalties using factors codified at 45 CFR 160.408, ensuring proportionality. Key considerations include the number of individuals affected and the duration of noncompliance; the nature and extent of resulting harm (physical, financial, reputational, or hindering care); prior compliance history and response to OCR technical assistance; financial condition and size; and any other matters as justice requires. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.408?utm_source=openai))

OCR decisions and NPDs routinely discuss these factors when setting penalty amounts or evaluating mitigation claims. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gulf-coast-pain-consultants-npd/index.html?utm_source=openai))

Compliance Best Practices

To minimize exposure to civil penalties and criminal risk—and to demonstrate good‑faith compliance in any OCR enforcement—you should build a security and privacy program that aligns with HIPAA and recognized security practices.

Essentials to reduce risk and fines

• Perform and refresh an enterprise‑wide risk analysis; maintain a risk management plan with documented remediation timelines. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?utm_source=openai))
• Adopt “recognized security practices” (e.g., NIST CSF, 405(d) HICP) for at least 12 months; OCR must consider this in HIPAA Security Rule investigations, which can mitigate OCR enforcement outcomes. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/hitech-rfi/index.html?utm_source=openai))
• Harden access controls and audit trails; enforce minimum necessary, robust authentication, encryption of ePHI, and rapid patching.
• Strengthen vendor oversight: BAAs, security due diligence, and continuous monitoring for business associates handling PHI.
• Be breach‑ready: an incident response plan, tested backups, user training against phishing, and timely breach notification workflows to limit PHI breach fines.
• Protect patient rights: access rights (right‑of‑access timeliness) and fee compliance are frequent OCR enforcement areas. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/2024-april/index.html?utm_source=openai))

Conclusion

The maximum fine for HIPAA violation depends on culpability, inflation‑adjusted limits, and OCR’s enforcement discretion. Tier 4 remains the highest civil exposure at $2,134,831 per violation and per year (2024 values), while Tiers 1–3 follow lower practical caps. Sound governance, documented controls, and HITECH Act alignment with recognized security practices measurably reduce both risk and penalties. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/102.3?utm_source=openai))

FAQs.

What are the maximum civil fines for HIPAA violations?

The top civil exposure is Tier 4 (willful neglect not corrected): $2,134,831 per violation and per calendar year for identical provisions, for penalties assessed on or after August 8, 2024. OCR also applies lower annual caps under enforcement discretion to Tiers 1–3—$35,581, $142,355, and $355,808 respectively—until HHS completes rulemaking. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS_FRDOC_0001-0954/content.htm?utm_source=openai))

How are criminal penalties determined under HIPAA?

Criminal penalties depend on intent: up to $50,000/1 year for simple wrongful disclosure; up to $100,000/5 years if under false pretenses; and up to $250,000/10 years when for commercial advantage, personal gain, or malicious harm. DOJ prosecutes these offenses under 42 U.S.C. § 1320d‑6. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/42/1320d-6?utm_source=openai))

What factors influence the calculation of HIPAA penalties?

OCR weighs the nature and duration of the violation, number of individuals affected, the nature and extent of harm, prior compliance history and response to OCR guidance, and financial condition/size, plus other justice‑based factors, under 45 CFR 160.408. Demonstrating recognized security practices can also influence outcomes in Security Rule matters. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.408?utm_source=openai))

How do state attorneys general enforce HIPAA fines?

Under HITECH § 13410(e), state attorneys general may sue in federal court to enjoin violations and obtain statutory damages up to $100 per violation, capped at $25,000 per calendar year for identical provisions, with notice to HHS, which may intervene. These actions can run alongside OCR enforcement, especially in multi‑state incidents. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/42/1320d-5?utm_source=openai))