HIPAA Violation Penalties & Fines (2026)

HIPAA penalties can range from modest fines to multi-million-dollar settlements. This guide explains the four civil penalty tiers in plain language, what triggers enforcement, the criminal penalties that can apply to individuals, and the practical steps that reduce your risk before an audit.

The four civil penalty tiers

Civil monetary penalties are based on your level of culpability. The dollar figures below are illustrative ranges — HHS adjusts the exact amounts for inflation each year — but the tier structure is what matters most:

Tier Culpability Per-violation range
1 Did not know (and couldn't reasonably have known) Lowest tier — around $100+ per violation
2 Reasonable cause, not willful neglect Around $1,000+ per violation
3 Willful neglect — corrected within 30 days Around $10,000+ per violation
4 Willful neglect — not corrected Highest tier — $50,000+ per violation

Each tier also carries a substantial annual cap for all violations of an identical provision. Multiple affected records or repeated failures can multiply the total quickly.

Criminal penalties

Beyond civil fines, individuals who knowingly obtain or disclose PHI in violation of HIPAA can face criminal penalties — fines and imprisonment that escalate when the offense involves false pretenses or an intent to sell, transfer, or use PHI for personal gain or malicious harm.

What triggers HIPAA enforcement?

  • Reported breaches — especially those affecting 500 or more individuals.
  • Patient complaints filed with the Office for Civil Rights (OCR).
  • Compliance reviews and audits initiated by OCR.
  • Common findings: no risk analysis, missing policies, and missing or expired Business Associate Agreements.

How to reduce your risk

  1. Complete a current risk analysis — the single most common thing enforcement finds missing.
  2. Put required policies in place and keep them updated.
  3. Track vendors and BAAs so none lapse and every PHI-handling vendor is covered.
  4. Document remediation — showing you corrected issues can move you to a lower penalty tier.
  5. Train your workforce and keep records that prove it.

Lower your risk before an audit

Wardably helps you complete a documented risk assessment, generate the policies you're missing, and track your vendors and BAAs — the exact evidence that reduces enforcement exposure. Start free.

Get started free

Frequently asked questions

Civil penalties use four tiers based on culpability, from roughly $100 per violation at the lowest tier to tens of thousands per violation at the highest, with a substantial annual cap per identical provision. HHS adjusts the exact amounts for inflation each year.

Tier 1: didn't know and couldn't reasonably have known. Tier 2: reasonable cause, not willful neglect. Tier 3: willful neglect corrected within 30 days. Tier 4: willful neglect not corrected. Penalties increase with culpability.

Yes. Knowingly obtaining or disclosing PHI in violation of HIPAA can carry criminal fines and imprisonment, escalating when the offense involves false pretenses or intent to sell or use PHI for personal gain or malicious harm.

Related HIPAA guides

This guide is for general educational purposes and is not legal advice. Penalty amounts are inflation-adjusted by HHS and change over time. Consult a qualified professional for guidance specific to your organization.