What’s the Max Penalty for a HIPAA Violation? Fines and Jail Time Explained

Civil Penalties for HIPAA Violations

HIPAA civil monetary penalties are assessed by HHS’s Office for Civil Rights (OCR) and scale with culpability and corrective action. As of January 28, 2026, HHS published the 2025 cost-of-living adjustments to these penalties, which apply to violations on or after November 2, 2015, that are assessed on or after that date.

Current inflation-adjusted amounts (effective January 28, 2026)

• Tier 1 — Lack of knowledge: $145 to $73,011 per violation; calendar‑year cap $2,190,294.
• Tier 2 — Reasonable cause (not willful neglect): $1,461 to $73,011 per violation; calendar‑year cap $2,190,294.
• Tier 3 — Willful neglect, corrected within 30 days: $14,602 to $73,011 per violation; calendar‑year cap $2,190,294.
• Tier 4 — Willful neglect, not corrected within 30 days: at least $73,011 per violation; maximum penalty for a single violation and the calendar‑year cap are both $2,190,294.

These amounts are published in 45 CFR part 102’s annual penalty table, which implements the Federal Civil Penalties Inflation Adjustment Act. ([regulations.justia.com](https://regulations.justia.com/regulations/fedreg/2026/01/28/2026-01688.html))

How OCR applies caps in practice (2019 enforcement discretion)

Under OCR’s 2019 enforcement discretion guidelines, the annual caps for Tiers 1–3 are lower than the regulatory table above (and are inflation‑adjusted each year). Practically, this means the effective maximum for any single violation in these tiers cannot exceed the applicable annual cap. OCR has cited this notice in recent enforcement documents and applies it when calculating penalties.

• Indicative 2025 caps used by OCR: Tier 1 ≈ $36,505.50; Tier 2 ≈ $146,053; Tier 3 ≈ $365,052; Tier 4 cap remains $2,190,294 (subject to future rulemaking). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/pmi-npd/index.html?utm_source=openai))

Regulatory text in 45 CFR 160.404 still sets the tier structure and base limits; the annual table in 45 CFR part 102 provides the current, inflation‑adjusted amounts. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.404?utm_source=openai))

Criminal Penalties and Imprisonment

Criminal HIPAA violations are prosecuted by the Department of Justice (DOJ). Penalties depend on intent: up to one year in prison (and fines up to $50,000) for basic offenses; up to five years (and up to $100,000) for offenses under false pretenses; and up to ten years (and up to $250,000) for offenses committed for personal gain, commercial advantage, or malicious harm. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/42/1320d-6?utm_source=openai))

Penalty Tiers and Severity Levels

HIPAA’s penalty tier classification aligns consequences with culpability and remediation speed. Understanding where your incident fits helps you gauge risk and prioritize corrective action.

Tier 1 — Lack of knowledge

You did not know, and by exercising reasonable diligence would not have known, of the violation. Penalties start low and may be waived entirely if you correct promptly and meet the criteria for certain defenses.

Tier 2 — Reasonable cause

There was a failure to comply, but it was due to reasonable cause and not willful neglect. OCR often emphasizes gaps such as incomplete risk analysis, access reviews, or vendor oversight in this tier.

Tier 3 — Willful neglect, corrected

There was conscious or reckless disregard of the rules, but you fully corrected the issue within 30 days of when you knew (or should have known) about it. Expect materially higher exposure than Tiers 1–2.

Tier 4 — Willful neglect, not corrected

There was willful neglect and no timely correction. This tier carries the highest per‑violation exposure and the highest calendar‑year cap.

State-Level Penalties and Enforcement

State attorneys general can bring civil actions on behalf of residents for HIPAA violations, seeking injunctions and statutory damages. By statute, these damages are up to $100 per violation with a $25,000 cap per identical requirement per calendar year, separate from any federal OCR action. States may also pair these actions with their own health privacy or consumer protection laws, which can add penalties or private rights of action. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/42/1320d-5?utm_source=openai))

Enforcement Discretion and Penalty Reductions

OCR can reduce penalties based on factors such as the nature and extent of the violation, number of individuals affected, duration, harm, your prior history, and financial condition. Since 2019, OCR’s enforcement discretion has lowered annual caps for less‑culpable tiers, as noted above. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/pmi-npd/index.html?utm_source=openai))

Additionally, Congress directed HHS to consider “recognized security practices” that you had in place for the prior 12 months—such as NIST‑aligned controls—when determining fines, audits, and remedies. Demonstrated practices don’t create immunity, but they can materially mitigate penalties and corrective obligations. ([congress.gov](https://www.congress.gov/bill/116th-congress/house-bill/7898/text?utm_source=openai))

Annual Adjustments to Penalties

HIPAA civil penalties increase annually through cost‑of‑living penalty adjustments under the 2015 Inflation Adjustment Act. The latest update was published on January 28, 2026, and applies a 2025 inflation factor to HIPAA civil monetary penalties in 45 CFR part 102. The result: a $73,011 per‑violation maximum for Tiers 1–3 and a $2,190,294 maximum (and annual cap) for the highest tier. ([regulations.justia.com](https://regulations.justia.com/regulations/fedreg/2026/01/28/2026-01688.html))

Reputational and Compliance Implications

Beyond fines, enforcement commonly requires multi‑year corrective action plans, external monitoring, and public breach notifications. Those obligations, along with incident response, forensics, credit monitoring, and potential class‑action exposure, often eclipse the penalty itself.

Conclusion

In short: civil HIPAA exposure now reaches into seven figures per violation at the highest tier, criminal HIPAA violations can mean up to ten years in prison, and state attorney general HIPAA fines can add more liability. Strong governance, prompt remediation, and documented security practices are your best defenses against escalating penalties and reputational harm. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/42/1320d-6?utm_source=openai))

FAQs

What is the maximum civil fine for a HIPAA violation?

At the highest culpability tier (willful neglect not corrected within 30 days), the maximum civil penalty for a single violation can reach $2,190,294, and that figure is also the calendar‑year cap for identical violations. OCR’s enforcement discretion currently applies lower annual caps for the less‑culpable tiers. ([regulations.justia.com](https://regulations.justia.com/regulations/fedreg/2026/01/28/2026-01688.html))

How long can imprisonment last for criminal HIPAA violations?

Up to 10 years for offenses committed for personal gain, commercial advantage, or malicious harm; up to 5 years when committed under false pretenses; and up to 1 year for basic offenses. Fines may also be imposed. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/42/1320d-6?utm_source=openai))

Can penalties be reduced for unintentional violations?

Yes. OCR considers multiple mitigating factors, and where violations are due to reasonable cause (not willful neglect) and are corrected promptly, penalties may be reduced or waived. If you can show recognized security practices were in place for the prior 12 months, OCR must consider that in setting fines and remedies. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.404?utm_source=openai))

How do state penalties differ from federal HIPAA fines?

State attorneys general can seek injunctions and statutory damages of up to $100 per violation with a $25,000 annual cap per identical provision, and they may also pursue separate state‑law claims. Those state actions are independent of OCR’s federal penalties and can compound overall exposure. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/42/1320d-5?utm_source=openai))