HIPAA Violation Penalties and Fines
HHS Office for Civil Rights (OCR) enforces HIPAA through investigations, corrective action plans, and civil monetary penalties. Penalties range from $100 to $50,000 per violation, with annual caps per violation category. Criminal penalties are referred to the Department of Justice. Updated 26 March 2026.
Civil Monetary Penalty Tiers
Per violation
$100 - $50,000
Annual cap (per category)
$25,000
The entity did not know and would not have known of the violation with reasonable diligence.
Per violation
$1,000 - $50,000
Annual cap (per category)
$100,000
The violation was due to reasonable cause and not willful neglect. The entity should have known but did not.
Per violation
$10,000 - $50,000
Annual cap (per category)
$250,000
Violation was due to willful neglect but was corrected within 30 days of the entity knowing or discovering the violation.
Per violation
$50,000
Annual cap (per category)
$1,900,000
Violation was due to willful neglect and was not corrected within 30 days. Maximum enforcement penalties apply.
Criminal Penalties
Criminal HIPAA violations are prosecuted by the Department of Justice. Penalties include: up to 1 year in prison for obtaining or disclosing PHI under false pretenses, up to 5 years for obtaining PHI under false pretenses, and up to 10 years if the offense is committed with intent to sell or use PHI for personal gain or malicious harm. Criminal convictions are rare but have been pursued against both individuals and organizations.
Recent HHS OCR Enforcement Examples
The cases below are illustrative examples based on publicly documented OCR enforcement patterns. Entity names are generalized. Amounts reflect settlement agreements and civil monetary penalty orders.
Large Academic Medical Center (Northeast)
Covered Entity | 2023
Failure to implement sufficient access controls and audit logging on electronic health record systems. Multiple employees accessed PHI without authorization over 18 months before detection.
Regional Health Insurance Plan
Covered Entity | 2023
Failure to conduct a comprehensive and accurate risk analysis. A ransomware attack exposed over 200,000 individuals' PHI. Investigation found no documented risk management plan.
Medical Transcription Services Company
Business Associate | 2022
Impermissible disclosure of PHI belonging to more than 300,000 individuals via an unsecured FTP server. Lack of encryption and failure to perform a risk analysis.
Specialty Dermatology Practice Group
Covered Entity | 2024
Failure to enter into a Business Associate Agreement with a cloud storage provider used to store patient records. Provider had access to approximately 12,000 patient records.
Multi-State Hospital Network
Covered Entity | 2024
Right of access failure. Network repeatedly delayed and failed to provide patients with copies of their medical records within required timeframes across 21 facilities.
Mental Health Services Provider
Covered Entity | 2023
Impermissible disclosure of patient PHI including sensitive mental health diagnoses to an employer without patient authorization. Employee terminated but systemic policy failures identified.
Telehealth Platform (Software Company)
Business Associate | 2024
Failure to implement encryption on mobile devices containing ePHI. Three laptops stolen from a parking lot resulted in breach of 85,000 patient records. No encryption or remote wipe capability.
Independent Physician Practice
Covered Entity | 2023
Workforce member posted patient PHI on social media without authorization. Practice had no documented sanctions policy and failed to take corrective action after previous similar incidents.
Calculate your compliance investment vs. penalty risk
A $100,000 compliance program is a fraction of the average OCR settlement. Use the calculator to get your estimate.
Open Calculator