Skip to main content

HIPAA Violation Fines and Penalties in 2026: Tiers, Criminal Exposure, and What to Do After a Violation

By Joseph Abear ·
HIPAA violations fines and penalties title graphic with an alert shield icon on a dark background.

HIPAA violations carry civil monetary penalties in four culpability tiers, ranging from $145 to $2,190,294 per violation under the inflation adjustment effective January 28, 2026 (45 CFR § 102.3), plus criminal penalties under 42 U.S.C. § 1320d-6 of up to $250,000 and 10 years in prison for the most serious offenses. The HHS Office for Civil Rights (OCR) enforces the civil side against both covered entities and business associates; the Department of Justice prosecutes criminal cases. How much an actual violation costs depends on culpability, duration, the number of provisions violated, and how quickly the entity corrects the problem.

TL;DR: Quick answer

  • The 2026 civil penalty tiers run from $145 minimum (Tier 1, lack of knowledge) to $2,190,294 maximum per violation (Tier 4, uncorrected willful neglect), with a $2,190,294 annual cap per violated provision (45 CFR § 102.3, Federal Register, January 28, 2026).
  • OCR's 2019 Notice of Enforcement Discretion still applies lower effective annual caps for Tiers 1 through 3, so practical exposure in the lower tiers is below the published maximums.
  • Criminal penalties under 42 U.S.C. § 1320d-6 reach $50,000 and 1 year for knowing violations, $100,000 and 5 years under false pretenses, and $250,000 and 10 years for intent to sell or harm.
  • OCR's risk analysis enforcement initiative, active since late 2024, had produced settlements into 2026, including $103,000 from a treatment center in February 2026 and $10,000 from a dental software vendor after a breach affecting roughly 15 million people in March 2026.
  • The most common finding is the same one: no accurate, thorough risk analysis under 45 CFR § 164.308(a)(1)(ii)(A).

What are the four HIPAA penalty tiers in 2026?

The HITECH Act created four culpability tiers, adjusted annually for inflation. The amounts below took effect January 28, 2026.

TierCulpabilityPer-violation range (2026)Annual cap per provision
1Did not know and could not reasonably have known$145 to $73,011$2,190,294
2Reasonable cause, not willful neglect$1,461 to $73,011$2,190,294
3Willful neglect, corrected within 30 days$14,602 to $73,011$2,190,294
4Willful neglect, not corrected$73,011 to $2,190,294$2,190,294

Two qualifiers matter. First, OCR's 2019 Notice of Enforcement Discretion continues to cap annual totals for Tiers 1 through 3 well below the statutory ceiling, pending formal rulemaking, so the published caps overstate likely exposure for less-culpable entities. Second, "per violation" multiplies fast: a breach exposing 5,000 records over 18 months can be counted as thousands of violations across multiple provisions. Most penalty actions resolve as negotiated settlements with corrective action plans rather than full civil monetary penalties.

When does a HIPAA violation become criminal?

42 U.S.C. § 1320d-6 makes it a crime to knowingly obtain or disclose individually identifiable health information in violation of HIPAA. Penalties escalate by intent: up to $50,000 and 1 year in prison for a knowing violation; up to $100,000 and 5 years when committed under false pretenses; up to $250,000 and 10 years when committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm. Typical criminal cases involve employees snooping on records of acquaintances or celebrities, or selling patient lists. DOJ prosecutes; OCR refers.

How do OCR investigations start?

  • Complaints. Anyone can file with OCR; patients, ex-employees, and competitors do. OCR receives tens of thousands of complaints a year and opens investigations into a subset.
  • Breach reports. Self-reported breaches under 45 CFR § 164.408 are a primary investigation source. Every breach affecting 500 or more individuals is published on the HHS breach portal and routinely investigated.
  • Compliance reviews and audits. OCR can open a review without a complaint, including media-reported incidents and HITECH-mandated audit activity.

Once OCR opens a file, it requests documentation: the risk analysis, policies, training records, and BAAs. Entities that cannot produce a risk analysis dated before the incident start the negotiation from willful-neglect territory.

What is OCR actually enforcing in 2026?

Two themes dominate current enforcement. The first is the risk analysis initiative OCR launched in late 2024, which targets entities that never conducted the accurate and thorough risk analysis required by 45 CFR § 164.308(a)(1)(ii)(A). It has produced a steady stream of settlements: $103,000 from Top of the World Ranch Treatment Center in February 2026, and $10,000 plus a three-year corrective action plan from MMG Fusion, a dental marketing software business associate, after a breach affecting roughly 15 million individuals in March 2026. The second is ransomware: by April 2026 OCR had announced 19 completed ransomware investigations, including a group of four settlements that month totaling $1,165,000. Settlement size tracks ability to pay and cooperation, not just breach size; small entities are not skipped.

How do hosting-layer failures show up in enforcement?

Infrastructure problems appear in OCR findings constantly: ePHI on servers exposed to the public internet, no encryption at rest under 45 CFR § 164.312(a)(2)(iv), absent audit logs under § 164.312(b), no BAA with the hosting vendor under § 164.504(e), and risk analyses that never inventoried the web server at all. A practice website that stores intake form submissions is an ePHI system; if it is missing from the risk analysis, that is the exact gap the current initiative penalizes. Our breakdowns of hosting security measures and the administrative, physical, and technical safeguards map these requirements to specific controls. Many penalized failures begin as unintentional violations; intent affects the tier, not whether liability exists.

What should you do after discovering a violation?

  1. Contain and document immediately. Stop the disclosure, preserve evidence, and start a written timeline. Correction within 30 days is what separates Tier 3 from Tier 4.
  2. Run the breach risk assessment. Under 45 CFR § 164.402, an impermissible use or disclosure of unsecured PHI is presumed a breach unless a documented assessment shows a low probability of compromise.
  3. Notify on the statutory clock. Individuals within 60 days of discovery (§ 164.404). HHS without unreasonable delay and within 60 days for breaches affecting 500 or more people, or within 60 days of calendar year end for smaller ones (§ 164.408). Media notice for 500 or more in a state or jurisdiction (§ 164.406).
  4. Fix the root cause and update the risk analysis. OCR weighs corrective action heavily in settlement negotiations.
  5. Bring in counsel early. Privilege, state breach laws, and OCR strategy all benefit from it.

Frequently asked questions

What is the maximum HIPAA fine in 2026?

$2,190,294 per violation for uncorrected willful neglect, with an annual cap of $2,190,294 per violated provision. Multi-provision cases can exceed the single cap.

Can a small practice really be fined?

Yes. OCR's recent settlements include solo and small providers, and its risk analysis initiative has settled with small entities for five- and six-figure amounts plus multi-year monitoring.

Can you go to jail for a HIPAA violation?

Yes, for knowing misuse of PHI under 42 U.S.C. § 1320d-6, with sentences up to 10 years when PHI is obtained to sell or to harm someone.

Does self-reporting a breach reduce penalties?

Reporting is legally required, not optional, but documented good-faith compliance and rapid correction consistently produce smaller settlements than concealment followed by discovery.

Are business associates fined directly?

Yes. Since the 2013 Omnibus Rule, business associates carry direct liability, and recent OCR actions include software vendors, billing companies, and an accounting firm.

Where to go from here

The cheapest penalty is the violation that never happens, and the pattern in 2026 enforcement is unambiguous: document a risk analysis that covers every system touching ePHI, including your website and host. If hosting is one of your gaps, our HIPAA-compliant hosting guide covers what to require, and a managed HIPAA hosting environment like our managed HIPAA cloud hosting includes the BAA and the technical safeguards OCR asks about; that is our own service, so verify it against the guide.

This article is general information, not legal advice. Penalty amounts adjust annually and enforcement positions change; confirm current figures with HHS, consult counsel, and base safeguards on a documented risk analysis. Reviewed June 2026.

Sources

  • 45 CFR § 102.3, civil monetary penalty amounts: ecfr.gov
  • Federal Register, annual civil monetary penalties inflation adjustment (January 28, 2026): federalregister.gov
  • 42 U.S.C. § 1320d-6, wrongful disclosure of individually identifiable health information: govinfo.gov
  • HHS OCR, enforcement process and results: hhs.gov
  • HHS OCR, Top of the World Ranch settlement (February 2026): hhs.gov
  • HHS OCR, MMG Fusion settlement (March 2026): hhs.gov
  • HHS OCR, four ransomware settlements (April 2026): hhs.gov
  • 45 CFR §§ 164.400-414, breach notification: ecfr.gov
← Back to all posts