HIPAA Violation Penalties and Fines: 2026 Enforcement Guide

HIPAA penalties range from $145 per violation for unknowing infractions to over $2.19 million annually for willful neglect, following the inflation adjustment that took effect on 28 January 2026. Understanding the penalty structure helps frame the ROI of compliance investment.

2026 Penalty Tiers (Inflation-Adjusted)

Amounts effective 28 January 2026, after HHS applied the OMB inflation multiplier (1.02598) to the prior figures. Per-violation amounts are the Federal Register statutory ranges; the annual caps shown are the lower per-tier limits OCR applies under its April 2019 Notice of Enforcement Discretion (the statutory cap for all tiers is $2,190,294). Verified against the HHS / OCR 2026 penalty schedule in June 2026.

Tier	Culpability Level	Per Violation	Annual Cap
Tier 1	Did not know (and could not have known)	$145 - $73,011	$36,505
Tier 2	Reasonable cause (not willful neglect)	$1,461 - $73,011	$146,053
Tier 3	Willful neglect, corrected within 30 days	$14,602 - $73,011	$365,052
Tier 4	Willful neglect, not corrected	$73,011+	$2,190,294

Criminal Penalties (DOJ Prosecution)

Offense	Maximum Fine	Maximum Prison
Knowingly obtaining or disclosing PHI	$50,000	1 year
Under false pretenses	$100,000	5 years
For personal gain or malicious intent	$250,000	10 years

Recent Enforcement Examples (2025-2026)

OCR's Risk Analysis Initiative is the dominant enforcement theme: nearly every 2025-2026 settlement turns on a missing or inadequate security risk analysis, usually surfaced by a ransomware or phishing breach. On 24 April 2026 alone OCR announced four ransomware-related resolutions totalling $1,165,000. Verified against the HHS / OCR enforcement case log in June 2026.

Solara Medical Supplies (2025)

Risk analysis and risk-management failures plus improper breach notification after a phishing attack exposed the ePHI of 114,007 individuals.

$3,000,000

Warby Parker (2025)

Failure to conduct a HIPAA-compliant risk analysis; credential-stuffing attacks affected more than 198,000 individuals.

$1,500,000

Assured Imaging (2026)

Never conducted a risk analysis. Ransomware exposed the ePHI of 244,813 individuals, who were not notified within the required 60 days.

$375,000

Regional Women's Health Group / Axia (2026)

Risk Analysis Initiative settlement. Failure to conduct a comprehensive, accurate risk analysis after a ransomware attack.

$320,000

Star Group Health Benefits Plan (2026)

Risk Analysis Initiative settlement. Failure to thoroughly assess risks and vulnerabilities to ePHI.

$245,000

Consociate Health (2026)

Network compromised via phishing six months before the ransomware was discovered. No accurate, thorough risk analysis on file.

$225,000

Total Cost of a Healthcare Data Breach

OCR fines are only a fraction of total breach cost. The full financial impact includes:

Cost Component	Estimated Cost
OCR fine or settlement	$100K - $2M+
Forensic investigation	$50K - $500K
Patient notification and credit monitoring	$100K - $1M+
Legal defense and class-action settlements	$200K - $5M+
Remediation and system upgrades	$100K - $500K
Lost business and reputational damage	$500K - $3M+
Insurance premium increases	$25K - $200K/yr
Average Total Healthcare Breach Cost	$7.42M

Compliance ROI: $1 in Compliance Avoids $17 in Breach Costs

The median HIPAA compliance investment for a mid-size organization is $50,000 per year. The expected annual cost of a breach (probability-adjusted) is approximately $850,000 when you factor in the 25% annual probability of a reportable incident for non-compliant organizations. That ratio holds across organization sizes: every dollar invested in compliance avoids approximately seventeen dollars in expected breach-related costs. Compliance is not just a legal obligation; it is the most cost-effective risk mitigation strategy available.

State Attorney General Enforcement

State penalties stack on top of federal OCR penalties. Several states have enacted their own health privacy laws with additional enforcement mechanisms:

California

CCPA/CPRA

Up to $7,500 per violation

New York

SHIELD Act

Up to $5,000 per violation, $250K cap

Texas

HB 300

$5,000 - $250,000 per violation

Massachusetts

201 CMR 17.00

$5,000 per violation, $50K per incident

Frequently Asked Questions

What is the maximum HIPAA penalty per year?

The statutory maximum civil penalty is $2,190,294 per identical provision per calendar year, effective 28 January 2026 after the latest inflation adjustment. In practice OCR applies lower annual caps per culpability tier under its 2019 enforcement-discretion notice ($36,505 Tier 1, $146,053 Tier 2, $365,052 Tier 3), with only the top tier (willful neglect, uncorrected) exposed to the full $2,190,294. Separately, criminal HIPAA offenses carry fines up to $250,000 and up to 10 years in prison.

What are the penalties for HIPAA non-compliance?

HIPAA penalties follow a four-tier structure, adjusted for inflation effective 28 January 2026. Tier 1 (lack of knowledge) carries fines from $145 to $73,011 per violation. Tier 2 (reasonable cause) ranges from $1,461 to $73,011. Tier 3 (willful neglect, corrected within 30 days) ranges from $14,602 to $73,011. Tier 4 (willful neglect, not corrected) carries a minimum of $73,011 per violation. The statutory annual cap is $2,190,294 per identical provision, but OCR applies lower per-tier caps under its 2019 enforcement-discretion notice ($36,505 Tier 1, $146,053 Tier 2, $365,052 Tier 3). These amounts are adjusted annually for inflation.

Can individuals go to jail for HIPAA violations?

Yes. Criminal HIPAA violations are prosecuted by the Department of Justice and can result in prison time. Knowingly obtaining or disclosing PHI carries up to 1 year in prison and $50,000 in fines. Offenses committed under false pretenses carry up to 5 years and $100,000. Offenses committed for personal gain, malicious intent, or commercial advantage carry up to 10 years and $250,000. Criminal penalties apply to individuals, not just organizations.

How much is the average HIPAA settlement?

The average OCR settlement exceeds $240,000, but settlements range from $10,000 for small practices with minor violations to $16 million for Anthem's 2018 record settlement (over its 2015 breach affecting 78.8 million people). Most settlements fall in the $100,000 to $500,000 range. The total cost of a breach is far higher than the fine alone when you include investigation costs, notification expenses, credit monitoring, legal defense, reputational damage, and lost business. The average total healthcare breach cost is $7.42 million according to IBM's 2025 Cost of a Data Breach report.

Does having a compliance program reduce penalties?

Yes, significantly. OCR considers the organization's compliance posture when determining penalty amounts. Organizations with documented risk assessments, current policies, training records, and active compliance programs consistently receive lower penalties. The HITECH Act explicitly instructs OCR to consider the nature and extent of the violation, the entity's compliance history, and the entity's financial condition. Many investigations that begin with potential six-figure penalties are resolved with corrective action plans and no monetary penalty when the organization demonstrates good-faith compliance efforts.

Can state attorneys general enforce HIPAA?

Yes. The HITECH Act grants state attorneys general the authority to bring civil actions on behalf of state residents for HIPAA violations. State penalties can stack on top of federal OCR penalties. Several states have their own health privacy laws with additional penalties (California's CCPA/CPRA, New York's SHIELD Act, Texas HB 300). Organizations operating in multiple states face compound regulatory exposure.

Cost Calculator Requirements Checklist Risk Assessment Cost Data Breach Cost Incident Cost Calculator