HIPAA Violation Penalties 2026: Fines and Enforcement

Posted: May 2, 2026 to Compliance.

HIPAA violation penalties in 2026 can reach $2,190,294 per violation category per calendar year, and the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is enforcing them more aggressively than at any point in the law's 30-year history. If your organization handles protected health information (PHI), the question is no longer whether OCR will scrutinize your safeguards. The question is whether your administrative, physical, and technical controls will hold up when a complaint, audit, or breach disclosure puts them under the microscope. This guide breaks down the 2026 penalty schedule, how OCR calculates fines, recent enforcement actions you can learn from, criminal exposure under federal statute, the state-level laws that stack on top of HIPAA, and the operational checklist that keeps healthcare organizations and their business associates out of trouble.

TL;DR: HIPAA Violation Penalties 2026 at a Glance

• Four civil penalty tiers ranging from "no knowledge" (Tier 1) through "willful neglect not corrected" (Tier 4), with per-violation minimums and maximums updated annually for inflation by HHS.
• 2026 statutory cap is $2,190,294 per identical violation category, per calendar year, across every tier (the cap is the same; only the per-violation floor and ceiling change by tier).
• Criminal penalties under 18 U.S.C. section 1320d-6 reach up to $250,000 in fines and 10 years in prison for offenses committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.
• Recent named OCR settlements include Anthem $16,000,000 (2018), Premera Blue Cross $6,850,000 (2020), Excellus $5,100,000 (2021), and Aetna $1,000,000 (2020), all involving large breaches of unsecured PHI and inadequate safeguards.
• State laws layer on top of HIPAA, including California CPRA, Texas HB 300, New York SHIELD Act, and Massachusetts 201 CMR 17.00, often with their own penalties and private rights of action.
• The most common discovery paths are patient complaints, mandatory breach disclosures, ransomware events, employee whistleblower reports, and OCR random audits.
• The most effective single defense is an annual, documented Security Risk Assessment paired with a current incident response runbook, business associate agreement (BAA) hygiene, and active access logging.

Watch our short overview of the four HIPAA pillars before reading the 2026 penalty schedule:

The 2026 HIPAA Civil Penalty Schedule: Four Tiers Explained

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 restructured HIPAA's civil monetary penalty (CMP) framework into four tiers based on the level of culpability. HHS publishes the dollar amounts in the Federal Register each year, adjusted for inflation under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The 2026 schedule below reflects the most recent annual adjustment, published in the Federal Register on January 28, 2026 (multiplier 1.02598), applicable to penalties assessed on or after that date for violations on or after November 2, 2015.

Tier 1: No Knowledge

The covered entity or business associate did not know, and by exercising reasonable diligence would not have known, that the violation occurred. Per violation: $145 minimum to $73,011 maximum. Annual cap per identical violation category: $2,190,294. This tier sounds forgiving, but "reasonable diligence" is a high bar. OCR has rejected Tier 1 defenses where the organization had not performed a Security Risk Assessment in years, where workforce training was missing, or where logs that would have revealed the issue were never reviewed.

Tier 2: Reasonable Cause

The violation was due to reasonable cause, not willful neglect. The organization knew or should have known about the issue but had a defensible reason for the lapse. Per violation: $1,461 minimum to $73,011 maximum. Annual cap: $2,190,294. Examples include relying in good faith on a vendor representation that turned out to be incorrect, or an isolated workforce error in an otherwise mature program.

Tier 3: Willful Neglect, Corrected

The violation was the result of conscious, intentional failure or reckless indifference to HIPAA obligations, but the entity corrected the violation within 30 days of discovery. Per violation: $14,602 minimum to $73,011 maximum. Annual cap: $2,190,294. Self-disclosure plus rapid corrective action can keep an incident in Tier 3 rather than Tier 4.

Tier 4: Willful Neglect, Not Corrected

Willful neglect that the entity did not correct within 30 days of discovery. Per violation: $73,011 minimum to $2,190,294 maximum. Annual cap: $2,190,294. Tier 4 is reserved for the worst behavior, including ignoring known vulnerabilities, suppressing breach reports, or refusing to engage with OCR after notification. The cap is reached quickly because the per-violation minimum equals the prior tiers' maximum.

Reading the Schedule Correctly

Tier	Culpability	Min / Violation	Max / Violation	Annual Cap
1	No knowledge	$145	$73,011	$2,190,294
2	Reasonable cause	$1,461	$73,011	$2,190,294
3	Willful neglect, corrected	$14,602	$73,011	$2,190,294
4	Willful neglect, not corrected	$73,011	$2,190,294	$2,190,294

The annual cap is per identical violation category. A single incident frequently spans multiple categories, including the failure to perform a Security Risk Assessment, the failure to implement access controls, and the failure to enter into a compliant business associate agreement. Each category carries its own cap, which is how OCR settlements stack into the millions even when the underlying breach affected a finite number of individuals. Authority: HHS OCR HIPAA Enforcement Activities and Results.

How OCR Calculates Civil Monetary Penalties

OCR does not pick numbers out of thin air. The Enforcement Rule (45 CFR Part 160 Subpart D) requires consideration of specific aggravating and mitigating factors when setting a penalty. Understanding these factors lets you predict where your organization would land if OCR opened an investigation tomorrow.

Statutory Factors OCR Must Weigh

• Nature and extent of the violation: How many records were involved, how many individuals were affected, what kind of PHI was disclosed, and over what time period.
• Nature and extent of the harm: Was there physical, financial, reputational, or dignitary harm to individuals? Identity theft, medical fraud, and exposure of mental health or HIV status all increase severity.
• History of prior compliance: A first-time technical lapse is treated very differently from a repeat finding after a prior corrective action plan (CAP).
• Financial condition: OCR may reduce penalties for organizations that can demonstrate inability to pay, but this is not a get-out-of-jail-free card. Requests for hardship reductions require audited financials and rarely reduce penalties to zero.
• Such other matters as justice may require: A catch-all that lets OCR consider cooperation, the speed of breach notification, the quality of the corrective action plan, and whether the entity attempted to suppress evidence.

The Corrective Action Plan (CAP)

Most OCR resolutions include a multi-year CAP in addition to the monetary penalty. A CAP typically requires the organization to perform a thorough Security Risk Assessment, develop or revise written policies and procedures, retrain workforce members, distribute revised policies, implement specific technical controls, and submit annual compliance reports to OCR for two to three years. The CAP is often more expensive to execute than the headline fine, and a missed CAP deadline is itself a Tier 4 willful-neglect violation.

Real OCR Enforcement Actions You Can Learn From

Petronella Technology Group reviews every public OCR resolution agreement so our clients understand the exact failure modes that trigger penalties. The settlements below are public record published by HHS OCR. Each is summarized to highlight the root cause and the lesson.

Anthem Inc. - $16,000,000 (October 2018)

The largest health-data breach settlement in OCR history at the time. Cyber-attackers gained access to Anthem's IT systems through a spear-phishing email, ultimately exfiltrating the electronic PHI of approximately 79 million individuals, including names, Social Security numbers, dates of birth, and health identification numbers. OCR's investigation found that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, and failed to identify and respond to suspected or known security incidents. Source: HHS OCR resolution agreement, October 15, 2018. Lesson: Enterprise risk analysis is not optional. Spear-phishing is a known attack vector, and the absence of detection controls is treated as willful neglect when a multi-billion-dollar insurer suffers a multi-month, multi-system intrusion.

Premera Blue Cross - $6,850,000 (September 2020)

A cyberattack on Premera's IT systems went undetected for nearly nine months and resulted in the disclosure of the PHI of more than 10.4 million individuals. OCR's investigation identified systemic noncompliance with the HIPAA Security Rule, including failure to conduct an enterprise-wide risk analysis, failure to implement risk management measures, failure to implement sufficient hardware, software, and procedural mechanisms to record and examine activity in information systems, and failure to prevent unauthorized access to ePHI. Source: HHS OCR resolution agreement, September 25, 2020. Lesson: Detection blind spots compound liability. Nine months of undetected exfiltration is the textbook definition of inadequate audit controls under 45 CFR 164.312(b).

Excellus Health Plan - $5,100,000 (January 2021)

Cyberattackers gained unauthorized access to Excellus's IT systems, resulting in the disclosure of the PHI of more than 9.3 million individuals. OCR's investigation identified the same pattern: missing risk analysis, missing risk management, insufficient technical safeguards, and inadequate review of information system activity. Source: HHS OCR resolution agreement, January 15, 2021. Lesson: The same Security Rule failures keep showing up. OCR is not breaking new ground in these cases. They are penalizing the same baseline gaps that any competent assessor would have flagged years earlier.

Aetna - $1,000,000 (October 2020)

Three separate breaches in 2017, including a web services portal that exposed PHI to internet search engines, a mailing in which the words "HIV medication" were visible through window envelopes, and a mailing that disclosed atrial fibrillation research participation. OCR found Aetna failed to perform periodic technical and nontechnical evaluations in response to environmental or operational changes, failed to implement procedures to verify identity, and failed to limit PHI disclosures to the minimum necessary. Source: HHS OCR resolution agreement, October 28, 2020. Lesson: Low-tech failures (envelope windows, web portal misconfigurations) draw the same OCR attention as nation-state intrusions. The minimum-necessary standard applies to physical mailings, not just digital systems.

Criminal Penalties Under 18 U.S.C. Section 1320d-6

Civil penalties are not the end of HIPAA exposure. The criminal provisions of 18 U.S.C. section 1320d-6 establish three escalating tiers of criminal liability for any person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA.

• Knowing violation: up to $50,000 fine and 1 year imprisonment.
• Under false pretenses: up to $100,000 fine and 5 years imprisonment.
• With intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm: up to $250,000 fine and 10 years imprisonment.

OCR refers criminal cases to the U.S. Department of Justice. Prosecutions have included healthcare workers who looked up celebrity records, employees who sold patient lists to identity-theft rings, and clinicians who accessed estranged spouses' records. Individual workforce members can be charged personally, in addition to any organizational liability. The criminal exposure is one of the strongest arguments for documented, enforced sanction policies and tight access controls in every covered entity and business associate.

State Laws That Stack on Top of HIPAA

HIPAA sets a federal floor, not a ceiling. Several states have enacted health-data privacy or general data-protection statutes that impose additional penalties, breach notification requirements, or private rights of action for affected individuals. The penalties stack: a single breach can produce a federal HIPAA settlement, multiple state attorney general settlements, and class-action exposure all from the same incident.

• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): Provide California residents a private right of action for breaches of unencrypted personal information, with statutory damages of $100 to $750 per consumer per incident, plus regulatory penalties up to $7,500 per intentional violation enforced by the California Privacy Protection Agency.
• Texas HB 300: Expands HIPAA-style protections to any entity that comes into possession of PHI in Texas, with state-level penalties up to $1.5 million per year for negligent violations and additional penalties for repeat violators.
• New York SHIELD Act: Requires reasonable security safeguards for private information of New York residents, with civil penalties up to $5,000 per violation enforceable by the state attorney general.
• Massachusetts 201 CMR 17.00: Mandates a written information security program for any business that owns or licenses personal information of Massachusetts residents, including encryption of PHI in transit and on portable devices, with penalties under M.G.L. c. 93H of up to $5,000 per violation plus consumer redress.
• Illinois Biometric Information Privacy Act (BIPA) and Genetic Information Privacy Act (GIPA): Provide private rights of action with statutory damages that have produced multi-million-dollar class settlements in healthcare-adjacent contexts.

For a multi-state covered entity, mapping HIPAA controls against the most stringent state requirement in your service area is the only way to size compliance accurately.

Top 10 Ways HIPAA Violations Get Discovered

OCR opens investigations based on triggers, not random sweeps. Knowing the triggers helps you allocate compliance attention to the most likely failure modes.

1. Patient or consumer complaints filed directly with OCR. The OCR complaint portal accepts submissions from anyone who believes their HIPAA rights were violated. Most investigations start here.
2. Mandatory breach notifications to OCR under the Breach Notification Rule. Breaches affecting 500 or more individuals must be reported to OCR within 60 days; smaller breaches are reported annually.
3. OCR random audits conducted under the HIPAA Audit Program, which selects covered entities and business associates for desk audits and on-site reviews.
4. Employee whistleblower reports, which are protected from retaliation under both HIPAA and the False Claims Act.
5. Ransomware events, which OCR presumes are reportable breaches unless the organization can document a low probability that PHI was actually accessed or exfiltrated.
6. Public data leaks discovered by security researchers, journalists, or threat actors who post stolen data to clearnet or dark web forums.
7. Office of Inspector General (OIG) referrals from healthcare fraud investigations that uncover concurrent privacy or security violations.
8. State attorney general investigations that share findings with OCR under information-sharing agreements.
9. Media coverage of breaches or privacy incidents that draw OCR's attention before any formal complaint is filed.
10. Self-disclosure, which sounds counterintuitive but is often the lowest-cost path to resolution. OCR routinely treats self-disclosure as a strong mitigating factor and may resolve issues with a Resolution Agreement rather than a formal CMP.

The 2026 Risk-Reduction Checklist: How to Avoid HIPAA Penalties

Most OCR enforcement actions trace back to a small set of failures that compound. The checklist below reflects what Petronella sees missing in nearly every initial assessment we run for new healthcare and business-associate clients.

1. Conduct an annual Security Risk Assessment covering all systems that create, receive, maintain, or transmit ePHI. Document the methodology, the asset inventory, the threat model, the vulnerabilities identified, the likelihood and impact ratings, and the risk-management decisions. The assessment is the cornerstone OCR looks for first in every investigation.
2. Maintain BAA hygiene. Every vendor that touches PHI on your behalf needs a current, executed business associate agreement. Audit your BAA inventory annually. Terminate vendors that will not sign or that demand carve-outs that conflict with HIPAA.
3. Encrypt PHI at rest and in transit using FIPS 140-2 (or FIPS 140-3) validated cryptographic modules. Encryption is technically "addressable" rather than "required" under the Security Rule, but in practice OCR expects it on every laptop, every backup, every database, and every transmission channel.
4. Implement access controls and review them quarterly. Role-based access, multi-factor authentication for all PHI systems, immediate de-provisioning when workforce members leave or change roles, and quarterly access recertification by managers.
5. Enable comprehensive logging and review the logs. Audit logs of access to PHI must be generated, retained for at least six years, and reviewed on a defined cadence. The Premera and Anthem settlements specifically cited inadequate log review.
6. Maintain a tested incident response runbook. Define roles, decision rights, breach assessment procedures, the four-factor risk analysis, communication templates, and the 60-day notification clock. Tabletop the runbook at least annually.
7. Train every workforce member annually with role-specific content and tracked completion. Generic compliance modules do not satisfy the training requirement when an OCR investigator interviews staff.
8. Sanction workforce members who violate policy. A documented, enforced sanction policy is required by 45 CFR 164.308(a)(1)(ii)(C). OCR has cited entities that had a policy on paper but no record of ever having applied it.
9. Define and enforce sanctioned destruction procedures for paper PHI, electronic media, and end-of-life devices. Use a vendor that provides certificates of destruction.
10. Be ready to file with OCR within 60 days of breach discovery, and contemporaneously notify affected individuals and (for breaches of 500 or more) prominent media outlets in the affected state.

For a deeper, framework-by-framework walkthrough of these requirements, see our HIPAA Compliance Requirements: Complete 2026 Guide and the HIPAA Breach Notification Guide.

HIPAA Meets AI, Cloud, and Mobile Workforce: The Modern Attack Surface

The Security Rule was written in 2003 and amended modestly since. The reality of how PHI moves in 2026 is barely recognizable to that text. Generative AI assistants, multi-cloud architectures, mobile-first clinician workflows, telehealth video, ambient scribes, and patient-portal chatbots all create new exposure points that OCR is actively investigating.

The fastest-growing risk vector Petronella sees is unsanctioned use of public AI tools by clinicians and administrative staff who paste PHI into chat interfaces to summarize charts, draft letters, or interpret images. Every paste is a potential disclosure to a vendor that has no business associate agreement and may train models on the input. The fix is to give workforce members AI tools that are HIPAA-aligned by design, with private inference, signed BAAs, audit logging, and PHI-aware guardrails. That is the regulated-AI lane we built our AI prototyping and private AI solutions practices around. Sanctioned tools beat policy bans every time.

Short overview of how AI-powered compliance automation reshapes ongoing HIPAA evidence collection:

For multi-cloud and mobile workforce risk, the controls are well understood: full-disk encryption with managed keys, conditional access tied to device compliance posture, mobile device management on every endpoint that can receive ePHI, network segmentation that isolates PHI workloads from the general internet, and continuous monitoring with alerting tied to your incident response runbook.

The First 24 to 48 Hours After You Suspect a HIPAA Violation

What you do in the first two days frequently determines whether an incident becomes a Tier 2 reasonable-cause matter or a Tier 4 willful-neglect catastrophe. The playbook below mirrors what Petronella's incident response team executes for clients.

1. Preserve evidence immediately. Snapshot affected systems, capture memory where feasible, and preserve logs. Do not let well-intentioned IT staff "clean up" anything that could be evidence.
2. Engage privacy counsel before making external statements. Privilege protects investigation-related communications when properly structured.
3. Contain the breach. Disable compromised accounts, revoke tokens, isolate affected hosts, rotate credentials. Containment is judged by speed.
4. Identify the scope. Which records, which individuals, which categories of PHI, what time window. Scope determines notification obligations and tier.
5. Run the four-factor risk assessment documented in 45 CFR 164.402 to determine whether the incident is a reportable breach.
6. Start the 60-day clock. For breaches of 500 or more individuals, notify OCR contemporaneously with individual notification and notify prominent media outlets in the affected state. For smaller breaches, log them for the annual OCR submission.
7. Document everything. Decision logs, evidence chain of custody, timeline, mitigation actions, and lessons learned. The post-incident report is what OCR will ask for first.

Why Healthcare Organizations Choose Petronella

Petronella Technology Group has helped covered entities and business associates navigate HIPAA, NIST, and CMMC requirements for more than two decades. We are headquartered at 5540 Centerview Dr., Suite 200, Raleigh, NC 27606, founded in 2002, and BBB A+ accredited since 2003. Our entire compliance team holds the CMMC Registered Practitioner (RP) credential, and Petronella is a CMMC-AB Registered Provider Organization (RPO) #1449. Founder Craig Petronella holds the CMMC-RP, CCNA, CWNE, and DFE #604180 credentials. We bring the same rigor to HIPAA Security Rule assessments, business associate agreement portfolios, breach response, and AI-era PHI safeguards. Talk to a Petronella consultant via our contact page to schedule a HIPAA posture review or read our HIPAA compliance services overview.

HIPAA Violation Penalties 2026 FAQ

What is the maximum HIPAA fine in 2026?

The maximum civil HIPAA penalty in 2026 is $2,190,294 per identical violation category, per calendar year (effective January 28, 2026 per the HHS Annual Civil Monetary Penalties Inflation Adjustment notice in the Federal Register). A single incident that triggers multiple violation categories (for example, failure to perform a Security Risk Assessment, failure to implement access controls, and failure to enter into a compliant BAA) can stack into multi-million-dollar settlements. Criminal penalties under 18 U.S.C. section 1320d-6 add up to $250,000 in fines and 10 years in prison for the most serious offenses.

Can a single HIPAA violation cost $1.5 million?

Yes. The annual cap under HITECH was $1,500,000 per violation category from 2009 through 2019. HHS has since adjusted that cap upward for inflation under the Federal Civil Penalties Inflation Adjustment Act, reaching $2,190,294 in 2026. The cap is per identical violation category, so a serious incident with multiple categories can exceed $1.5 million many times over.

Do small medical practices get fined less than large hospitals?

Sometimes, but not always. OCR considers the financial condition of the entity as one of the statutory factors when setting penalties, and small practices have received reduced settlements when they could document inability to pay. However, OCR has also penalized small practices and solo providers in the tens to hundreds of thousands of dollars when the violations involved willful neglect, failure to perform a risk analysis, or failure to respond to OCR. Size is a mitigating factor, not a shield.

What is willful neglect under HIPAA?

Willful neglect is conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA. It does not require malicious intent. An organization that has not performed a Security Risk Assessment in years, that ignores known vulnerabilities, or that fails to act on documented audit findings can be found to have acted with willful neglect even if no individual decision-maker intended to violate the law.

How long does an OCR investigation take?

OCR investigations vary widely. Simple complaints may close in a few months with technical assistance and no penalty. Complex breach investigations involving large numbers of individuals, multiple violation categories, and corrective action plans routinely take two to four years from initial notification to final resolution agreement. The Anthem settlement was finalized roughly four years after the initial breach disclosure.

Can employees be personally liable for HIPAA violations?

Yes, under the criminal provisions of 18 U.S.C. section 1320d-6. Workforce members who knowingly obtain or disclose PHI in violation of HIPAA can be charged personally with criminal violations, up to $250,000 in fines and 10 years in prison for the most serious offenses. Documented, enforced sanction policies are required by the Security Rule precisely to address this risk and to support the employer's compliance posture.

What is a HIPAA Corrective Action Plan?

A Corrective Action Plan (CAP) is a multi-year compliance commitment imposed by OCR as part of most resolution agreements. A CAP typically requires the entity to perform a Security Risk Assessment, develop or revise written policies and procedures, retrain workforce members, implement specific technical controls, and submit annual compliance reports to OCR for two to three years. Missing a CAP deadline is itself a Tier 4 willful-neglect violation that can produce additional penalties on top of the original settlement.

Are state HIPAA laws stricter than federal?

Often, yes. HIPAA establishes a federal floor, and several states have enacted stricter health-data or general data-protection laws. California CPRA, Texas HB 300, New York SHIELD Act, and Massachusetts 201 CMR 17.00 all add requirements or penalties beyond federal HIPAA. State laws may also provide private rights of action that HIPAA itself does not, allowing affected individuals to sue directly rather than rely on OCR enforcement.

What is the difference between civil and criminal HIPAA penalties?

Civil HIPAA penalties are administrative monetary penalties imposed by HHS OCR against covered entities and business associates, with no requirement of intent. Criminal HIPAA penalties under 18 U.S.C. section 1320d-6 require knowing conduct and are prosecuted by the U.S. Department of Justice against individuals or organizations. Civil penalties can reach $2,190,294 per category per year. Criminal penalties can reach $250,000 in fines and 10 years in prison per offense.

How does HIPAA enforcement work for cloud, SaaS, and AI tools?

Cloud providers, SaaS vendors, and AI services that create, receive, maintain, or transmit PHI on behalf of a covered entity are business associates and are directly liable under HIPAA. They must enter into business associate agreements, perform their own Security Risk Assessments, and implement Security Rule safeguards. OCR has investigated and penalized business associates including cloud-hosted EHR vendors and managed-service providers. Public AI tools without a signed BAA are not appropriate for PHI handling. Use a regulated-AI platform with a signed BAA, private inference, and audit logging instead.

Next Steps

Two paths from here:

1. Audit my HIPAA posture: Schedule a no-cost discovery conversation with a Petronella consultant via our contact page. We will review your current Security Risk Assessment, BAA portfolio, and incident response runbook and identify the highest-impact gaps to close before OCR finds them.
2. Read more on HIPAA hosting and compliance services: Visit HIPAA Compliance Services for a full overview of Petronella's HIPAA practice, or read our HIPAA compliance software documentation toolkit on the ComplianceArmor brand.