What are the current HIPAA Violation Fines?

by

Current HIPAA violation fines are civil monetary penalties assessed by the HHS Office for Civil Rights under a four-tier structure, with inflation-adjusted per-violation minimums and maximums and a calendar-year cap for identical violations, and separate criminal penalties that can apply to certain intentional conduct.

For penalties assessed on or after January 28, 2026, the civil monetary penalty ranges reflected in HHS inflation adjustments are structured by culpability. Tier 1 applies when the organization did not know and would not have known with reasonable diligence. Tier 2 applies when the violation was due to reasonable cause. Tier 3 applies to willful neglect that is corrected within the required correction period. Tier 4 applies to willful neglect that is not corrected within the required correction period.

The inflation-adjusted civil monetary penalty amounts reflected for 2026 are a minimum of $145 per violation in Tier 1, $1,461 per violation in Tier 2, $14,602 per violation in Tier 3, and $73,011 per violation in Tier 4. The maximum penalty per violation is $73,011 in Tiers 1 through 3. The Tier 4 maximum penalty per violation is $2,190,294. The published annual penalty limit for identical violations within a calendar year is $2,190,294.

Accredited HIPAA Certification

HHS Office for Civil Rights also issued a Notice of Enforcement Discretion in April 2019 that applied reduced annual caps for three tiers based on its interpretation of the HITECH Act penalty limits. Under that enforcement discretion approach, the inflation-adjusted annual caps used in practice can be lower than the published $2,190,294 cap for Tiers 1 through 3, while Tier 4 remains at the higher annual cap. Under the 2026 inflation-adjusted figures applied to that enforcement discretion approach, the annual cap is $36,505.50 for Tier 1, $146,053 for Tier 2, $365,052 for Tier 3, and $2,190,294 for Tier 4. The per-violation maximums remain higher than some of these reduced annual caps, which means the annual cap can control the final total for identical violations in a calendar year.

Civil monetary penalties are not automatic for every incident. HHS Office for Civil Rights determines whether a violation occurred and then evaluates factors used in penalty setting, including the nature and extent of the violation, the nature and extent of the harm, and the organization’s history of compliance, cooperation, and corrective actions.

Criminal penalties are separate from civil monetary penalties and can apply when a person knowingly obtains or discloses individually identifiable health information in violation of law. Criminal penalties can include fines and imprisonment, with higher penalty levels when the offense involves false pretenses or intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]