Tier 1
Unknowing
$137 – $68,928
per violation
The covered entity did not know and, by exercising reasonable diligence, would not have known that a violation occurred.
HIPAA penalties
HIPAA violation penalties are real, specific, and escalating.
Penalties are adjusted for inflation annually, calculated per violation — not per incident — and enforced against practices of every size. Here is the full 2026 breakdown.
Penalty tiers
Four tiers. One direction.
2026 inflation-adjusted amounts per 45 CFR 160.404.
Tier 2
Reasonable Cause
$1,379 – $68,928
per violation
The violation was due to reasonable cause — not willful neglect. The entity should have known but did not act with intentional disregard.
Tier 3
Willful Neglect — Corrected
$13,785 – $68,928
per violation
The violation resulted from willful neglect, but the entity corrected the violation within 30 days of discovery.
Tier 4
Willful Neglect — Not Corrected
$68,928 – $2,067,813
per violation
The violation resulted from willful neglect and was not corrected within 30 days. This tier carries the highest mandatory minimums and no upper cap on aggregate enforcement.
Annual maximum per violation category: $2,067,813
Calculation
How penalties are calculated.
HIPAA penalties are assessed per violation, not per incident. This distinction matters. A single unsecured email containing PHI sent to 50 patients is 50 separate violations. A database breach exposing 5,000 records can be aggregated into thousands of individual violations.
OCR considers multiple factors when determining the penalty amount within each tier:
- Practice size and financial condition
- Prior compliance history and previous enforcement actions
- Severity and scope of the violation
- The entity's cooperation during the investigation
- The number of individuals affected
- Whether the violation was corrected and how quickly
Corrective action plans — often imposed alongside monetary penalties — require years of monitored compliance and operational changes that typically cost far more than the fine itself.
Criminal enforcement
Criminal penalties.
The Department of Justice can pursue criminal charges for HIPAA violations independently of OCR's civil enforcement. Criminal penalties apply to individuals — not just organizations — and carry imprisonment.
Knowingly obtaining or disclosing PHI
$50,000 fine
Up to 1 year imprisonment
Under false pretenses
$100,000 fine
Up to 5 years imprisonment
For personal gain or malicious harm
$250,000 fine
Up to 10 years imprisonment
Enforcement record
Real OCR settlements.
These are publicly available OCR resolution agreements — not hypotheticals.
| Entity | Year | Violation | Settlement |
|---|---|---|---|
| Banner Health | 2023 | Failure to implement security measures, inadequate risk analysis, lack of monitoring for unauthorized access | $1,250,000 |
| L.A. Care Health Plan | 2023 | Failure to conduct an accurate and thorough risk assessment, failure to implement security measures, failure to implement policies and procedures for access to ePHI | $1,300,000 |
| Yakima Valley Memorial Hospital | 2024 | Failure to implement security measures to reduce risk to ePHI — 23 security guards accessed medical records of 419 patients without authorization | $240,000 |
| Dental practice (individual provider) | 2022 | Impermissible disclosure of PHI on a social media review response, followed by failure to implement a corrective action plan | $23,000 |
Source: HHS Office for Civil Rights enforcement actions. Settlements include resolution agreements and corrective action plans.
FAQ
Penalty questions.
What is the average HIPAA fine?
There is no meaningful average because the range is enormous — from $137 to over $2 million per violation. However, OCR enforcement data shows that most settlements for independent practices fall between $50,000 and $250,000. The real cost is often higher when you factor in corrective action plans, legal fees, notification costs, and lost patient trust.
Can a small practice be fined?
Yes. OCR has fined solo practitioners, small dental offices, and independent clinics. Practice size is a factor in penalty calculation, but it does not provide immunity. A solo dentist who responds to a Yelp review by disclosing patient information faces the same penalty structure as a hospital system. Small practices are often less likely to contest penalties due to limited legal resources.
What triggers the highest penalties?
Willful neglect that goes uncorrected triggers mandatory Tier 4 penalties starting at $68,928 per violation. The most common triggers: failure to conduct any risk assessment, failure to have BAAs with vendors, and failure to respond to known vulnerabilities. OCR treats knowing inaction as willful neglect.
How do I reduce my penalty risk?
Conduct and document a comprehensive risk assessment annually. Execute BAAs with every vendor. Train your workforce and document completions. Implement the technical safeguards required by the Security Rule. Respond to incidents within required timelines. The consistent theme in reduced penalties is documented evidence of good-faith compliance efforts — even imperfect programs fare better than none.
Prevention over penalties
Patient Protect prevents the violations before they become penalties.
Continuous compliance monitoring, automated risk assessments, workforce training, and vendor management — the controls OCR looks for when deciding penalty tiers. Five minutes to start.