Penalties for violating the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule can include civil monetary penalties assessed by the HHS Office for Civil Rights under a four tier structure based on culpability, criminal prosecution by the U.S. Department of Justice for certain wrongful uses and disclosures of protected health information, and required corrective action measures such as compliance monitoring and policy, process, and technical remediation.
Civil monetary penalties are assessed per violation and are subject to inflation adjustments published by the Department of Health and Human Services. For violations occurring on or after February 18, 2009, the four tiers are based on whether the covered entity or business associate did not know and would not have known with reasonable diligence, had reasonable cause, engaged in willful neglect that was corrected within the required period, or engaged in willful neglect that was not corrected within the required period. For the current inflation adjusted amounts effective for assessments following the most recent Department of Health and Human Services adjustment, the minimum per violation amounts range from $145 in the lowest tier to $73,011 in the highest tier, with maximum per violation amounts ranging from $73,011 to $2,190,294 depending on the tier, and calendar year caps for violations of an identical requirement can reach $2,190,294.
The HHS Office for Civil Rights evaluates facts such as the nature and extent of the violation, the nature and extent of the harm, the organization’s compliance history, the organization’s financial condition, and the extent of cooperation and timely corrective action when determining whether to resolve a matter through technical assistance, a corrective action plan, a resolution agreement with a monetary settlement, or a civil monetary penalty. The HHS Office for Civil Rights has also issued enforcement discretion statements addressing how annual caps are applied in certain tier categories, which can affect the maximum total amount assessed in a calendar year for repeated violations of the same requirement.
Criminal penalties apply when a person knowingly obtains or discloses individually identifiable health information in violation of HIPAA. Federal criminal penalties can include a fine of up to $50,000 and imprisonment of up to one year, a fine of up to $100,000 and imprisonment of up to five years when the offense is committed under false pretenses, and a fine of up to $250,000 and imprisonment of up to ten years when the offense involves intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm.
HIPAA does not create a private right of action for individuals to sue for damages based solely on a HIPAA violation, but investigations and enforcement outcomes can still create significant operational consequences through mandated remediation, reporting obligations, and contractual or regulatory actions that follow documented noncompliance.
How Regulations Address HIPAA Rules Violation Penalties
45 CFR 160.402(a) and 45 CFR 160.404(b) are directly relevant because they establish when a civil money penalty applies and set the tiered limits that define the penalty range for HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule violations. The regulation states that “the Secretary will impose a civil money penalty upon a covered entity or business associate if the Secretary determines that the covered entity or business associate has violated an administrative simplification provision” and it further limits the amounts by tier, including “in the amount of less than $50,000 for each violation” and “in excess of $1,500,000 for identical violations during a calendar year.” This text is relevant because it is the operative regulatory authority for civil monetary penalties and the tier framework used in HIPAA enforcement.
45 CFR 160.408 is directly relevant because it specifies the factors used to set the penalty amount within the applicable tier range. The regulation states that “in determining the amount of any civil money penalty, the Secretary will consider the following factors” and includes factors such as “the nature and extent of the violation” and “the history of prior compliance with the administrative simplification provisions.” This text is relevant because penalty exposure is not determined by tier limits alone, and the listed factors govern how an enforcement action is calibrated based on scope, harm, compliance history, and financial condition.
42 USC 1320d-6 is directly relevant because it establishes criminal penalties for certain knowing, wrongful uses and disclosures of individually identifiable health information. The statute provides that a person who commits the offense “shall be punished as provided in subsection (b)” and states that the person shall “be fined not more than $50,000, imprisoned not more than 1 year, or both” with higher maxima when committed “under false pretenses” or “with intent to sell, transfer, or use” the information for specified purposes. This text is relevant because it is the statutory basis for criminal enforcement exposure that can apply in addition to, or separate from, civil HIPAA enforcement.