What’s the Fine for a HIPAA Violation? Civil and Criminal Penalties, Tiers, and Examples

Understanding what triggers a HIPAA civil monetary penalty—and how high fines can go—helps you manage risk before an incident happens. Below, you’ll find the HIPAA violation tier system, criminal prosecution under HIPAA, real-world examples, and the procedures that drive HIPAA enforcement actions.

Civil Penalty Tiers and Amounts

HIPAA’s civil penalties are organized into four tiers that reflect the organization’s level of culpability. Amounts are set by statute and adjusted annually for inflation. In 2019, the government also announced lower annual caps for the first three tiers, commonly referenced in OCR guidance; those caps, like per‑violation amounts, are subject to yearly inflation updates.

Tier 1 — Lack of Knowledge

• Standard: You did not know and, by exercising reasonable diligence, would not have known a violation occurred.
• Amount: Minimum $100 up to $50,000 per violation (inflation‑adjusted).
• Annual cap: Commonly applied at $25,000 for identical violations in a year (inflation‑adjusted).

Tier 2 — Reasonable Cause

• Standard: A reasonable cause HIPAA violation—failure despite reasonable diligence, but not willful neglect.
• Amount: Minimum $1,000 up to $50,000 per violation (inflation‑adjusted).
• Annual cap: Commonly applied at $100,000 for identical violations in a year (inflation‑adjusted).

Tier 3 — Willful Neglect (Corrected)

• Standard: Willful neglect HIPAA violation that is corrected within the required timeframe (generally within 30 days of discovery or when you should have known).
• Amount: Minimum $10,000 up to $50,000 per violation (inflation‑adjusted).
• Annual cap: Commonly applied at $250,000 for identical violations in a year (inflation‑adjusted).

Tier 4 — Willful Neglect (Not Corrected)

• Standard: Willful neglect that is not corrected within the required timeframe.
• Amount: $50,000 per violation (inflation‑adjusted maximums apply).
• Annual cap: Traditionally $1,500,000 for identical violations in a year (inflation‑adjusted).

Key notes on the HIPAA violation tier system: Fines accrue per violation and may stack across multiple requirements (e.g., risk analysis, access controls, breach notification). OCR weighs factors like harm, duration, size of the entity, and mitigation when setting the final HIPAA civil monetary penalty.

Criminal Penalties and Imprisonment Terms

Some misconduct crosses the line into criminal prosecution under HIPAA. The Department of Justice pursues these cases, often alongside other federal crimes (e.g., wire fraud, identity theft). Criminal penalties can include:

• Knowing wrongful disclosure or acquisition: Up to $50,000 in fines and up to 1 year in prison.
• Offenses under false pretenses: Up to $100,000 and up to 5 years in prison.
• Offenses for commercial advantage, personal gain, or malicious harm: Up to $250,000 and up to 10 years in prison.

Criminal exposure typically involves intentional misuse of PHI—such as selling patient data or deliberately snooping for personal benefit—rather than accidental lapses.

Classification of HIPAA Violations

Civil vs. Criminal

Civil violations center on failures to meet Privacy, Security, or Breach Notification Rule requirements (e.g., risk analysis, encryption, policies, workforce training). Criminal violations require knowing wrongful conduct and are prosecuted by DOJ.

How OCR Assigns Tiers

• Lack of knowledge: You had no reasonable way to know of the noncompliance.
• Reasonable cause: You should have known with reasonable diligence, but conduct wasn’t willful neglect.
• Willful neglect (corrected): Conscious, intentional failure or reckless indifference, but corrected within 30 days.
• Willful neglect (not corrected): Same as above, and not fixed within 30 days—this triggers the highest penalties.

Evidence of proactive safeguards, prompt remediation, and mature security practices weighs heavily in tier placement and penalty amounts.

Examples of HIPAA Violation Cases

• Anthem (2018): $16 million settlement after a cyberattack exposed tens of millions of records; OCR cited inadequate risk management and monitoring.
• Premera Blue Cross (2020): $6.85 million settlement tied to a multi‑year intrusion; deficiencies in risk analysis and audit controls were central issues.
• Memorial Healthcare System (2017): $5.5 million settlement for improper access via former employee credentials; OCR emphasized access control failures.
• University of Rochester Medical Center (2019): $3 million settlement for lost unencrypted devices; encryption and risk analysis gaps were key.
• Excellus Health Plan (2021): $5.1 million settlement related to a hacking incident; OCR cited risk management and activity review shortcomings.

These HIPAA enforcement actions show how repeated or systemic control failures, delayed remediation, and weak monitoring push penalties higher.

Compliance and Correction Timeframes

30‑Day Correction Window

For willful neglect, OCR must impose a penalty, but timely correction matters. If you fix the violation within 30 days of discovery (or when you should have known), you generally fall into the “corrected” tier rather than the highest tier.

60‑Day Breach Notifications

After discovering a breach of unsecured PHI, notify affected individuals without unreasonable delay and no later than 60 calendar days. For incidents involving 500+ individuals, notify HHS and, in many cases, local media within the same timeframe. For fewer than 500, report to HHS no later than 60 days after the end of the calendar year.

Mitigation and Recognized Security Practices

Demonstrating mitigation (e.g., rapid containment, offering protection services) and maintaining “recognized security practices” for at least 12 months before the incident can significantly reduce penalty exposure and the length of any corrective action plan.

Annual Caps on Fines

Annual caps apply per covered entity or business associate, per calendar year, for violations of an identical requirement or prohibition. While per‑violation penalties can stack, caps limit total exposure within a category. Under commonly applied caps, Tiers 1–3 have substantially lower annual limits than Tier 4; all tiers are adjusted annually for inflation.

Enforcement and Reporting Procedures

How OCR Enforcement Works

• Complaint or breach report triggers intake and preliminary review.
• OCR may open a formal investigation, request documents, interview staff, and assess safeguards.
• Outcomes include technical assistance, a voluntary resolution agreement and corrective action plan, a civil monetary penalty, or referral to DOJ for criminal prosecution.

Where and When to Report

• Individuals can file complaints with OCR, typically within 180 days of when they knew (or should have known) about the violation.
• Covered entities and business associates must document risk assessments and breach notifications, retain records for six years, and use the HHS breach portal for required reporting.

Timely self‑reporting, transparency, and cooperation with investigators often influence tiering and the final penalty amount.

Bottom line: The size of a HIPAA civil monetary penalty turns on culpability, timeliness of correction, and the strength of your safeguards. Building and proving a mature security and privacy program is the most reliable way to keep HIPAA penalty caps—and your risk—low.

FAQs.

What is the maximum fine for a HIPAA violation?

Civil penalties can reach $50,000 per violation, with annual caps that range from tens of thousands of dollars to $1.5 million for identical violations in a year, subject to annual inflation adjustments. In criminal cases, fines can reach $250,000 plus imprisonment, with additional penalties possible under other federal laws.

How are HIPAA violations classified into tiers?

OCR uses four tiers based on culpability: lack of knowledge; reasonable cause; willful neglect corrected within 30 days; and willful neglect not corrected. Higher culpability and slower remediation place you in higher tiers with larger penalties.

What criminal penalties apply for HIPAA violations?

Knowing wrongful disclosure or acquisition can bring up to $50,000 and 1 year in prison; offenses under false pretenses up to $100,000 and 5 years; and offenses for commercial advantage, personal gain, or malicious harm up to $250,000 and 10 years. Other federal crimes may add further penalties.

Can fines be reduced if violations are corrected promptly?

Yes. Correcting violations within 30 days, demonstrating reasonable cause instead of willful neglect, cooperating with OCR, and showing recognized security practices can all reduce penalties and the likelihood of the highest HIPAA penalty caps applying.