Every year, quietly and without much fanfare, HHS adjusts HIPAA civil monetary penalties for inflation. Most years, the change is a rounding error. In 2026, the multiplier was 1.02598 — meaning penalties went up about 2.6% across the board.
That doesn’t sound dramatic. But here’s why it matters: penalty amounts have been climbing steadily since the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 started mandating these annual increases. The cumulative effect is major. The maximum penalty per breach for the worst offenders now sits at $2,190,294 — up from $2,134,831 last year.
The new amounts took effect January 28, 2026, following publication in the Federal Register. Any penalty assessed on or after that date applies the 2026 figures, even for breaches that occurred earlier (as long as they occurred after November 2, 2015).
And these numbers aren’t theoretical. In 2025 alone, OCR collected over $5.6 million in HIPAA settlements and civil monetary penalties across 10 enforcement actions. The fines keep going up, and so does OCR’s appetite for enforcement.
Here’s what the numbers actually mean for your practice.
The Four HIPAA Penalty Tiers: What Each Fine Level Means
HIPAA fines aren’t one-size-fits-all. The Office for Civil Rights (OCR) uses a four-tier framework based on culpability — essentially, how much you knew or should have known that you were violating the law. The less aware you were, the lower the penalty. The more willful your neglect, the higher it goes.
Tier 1 — “Didn’t Know and Couldn’t Have Known”
You genuinely had no idea, and exercising fair diligence wouldn’t have caught it.
- Per breach: $145 minimum — $73,011 maximum
- Annual cap under enforcement discretion: $36,506
This is the most forgiving tier. If OCR concludes you had fair protections in place and the breach was something you couldn’t realistically have prevented or detected, Tier 1 applies. Think: a vendor breach entirely outside your control, where you had a signed BAA and solid security policies.
But “didn’t know” has to be genuinely true — not “we never bothered to check.” OCR will look at whether you were exercising due diligence. If the breach would have surfaced during a routine risk review that you simply never ran, you’re not Tier 1.
Tier 2 — “fair Cause”
You didn’t know, but you would have known if you’d been paying attention.
- Per breach: $1,461 minimum — $73,011 maximum
- Annual cap under enforcement discretion: $146,053
This is where a lot of habits land when OCR investigates. You didn’t deliberately violate HIPAA, but you weren’t paying close enough attention. Common examples: no risk review in three years, an unencrypted file-sharing service nobody vetted, or a team member who never received proper training.
The key distinction from Tier 1 is that a fair rule-keeping effort would have surfaced the problem before OCR found it.
Tier 3 — “Willful Neglect, But You Fixed It”
You clearly should have known better, but you corrected the breach within 30 days of being notified.
- Per breach: $14,602 minimum — $73,011 maximum
- Annual cap under enforcement discretion: $365,052
“Willful neglect” sounds alarming. The legal definition is “conscious, intentional failure or reckless indifference to the duty to comply.” In practice, this tier often applies to groups with obvious gaps — no BAAs with vendors, no team training, no data scrambling — that acted quickly to fix things once OCR came knocking.
The 30-day correction window matters. Fix the breach within 30 days of notice and you stay in Tier 3. Miss that window and you move to Tier 4, where things get greatly worse.
Tier 4 — “Willful Neglect, And You Didn’t Fix It”
You knew you had a problem, you ignored it, and you still haven’t corrected it.
- Per breach: $73,011 minimum — $2,190,294 maximum
- Annual cap: $2,190,294
This is the nuclear option. OCR reserves it for groups that showed serious disregard for patient privacy and then failed to fix even after being notified. The $2.19 million figure is per term of HIPAA violated — meaning if you violated the Privacy Rule AND the Security Rule AND the Breach notice Rule, those caps stack.
The largest HIPAA settlements in history live in Tier 4 territory. Anthem paid $16 million. Premera Blue Cross paid $6.85 million. These aren’t small habits, but the enforcement logic applies at every scale.
2025 vs. 2026 HIPAA Penalty Amounts: Side-by-Side Comparison
Here’s the comparison. The “annual cap” column reflects OCR’s 2019 enforcement discretion caps, which are the numbers OCR actually applies in practice.
| Tier | Description | 2025 Min/breach | 2026 Min/breach | 2025 Max/breach | 2026 Max/breach |
|---|---|---|---|---|---|
| 1 | Didn’t Know | $141 | $145 | $71,162 | $73,011 |
| 2 | fair Cause | $1,424 | $1,461 | $71,162 | $73,011 |
| 3 | Willful Neglect – Corrected | $14,232 | $14,602 | $71,162 | $73,011 |
| 4 | Willful Neglect – Uncorrected | $71,162 | $73,011 | $2,134,831 | $2,190,294 |
The per-breach change looks modest. But penalties aren’t assessed for a single incident. OCR can assess per breach, per day, per term — the multiplication gets uncomfortable fast. One hundred uncorrected breaches of a single term at the Tier 4 minimum is $7.3 million before you even reach the annual cap.
The Enforcement Discretion Wrinkle Most People Miss
Here’s something that trips people up: there are technically two sets of annual caps in play.
The statutory caps — the ones written into the law — set a single annual maximum of $2,190,294 for breaches of an identical HIPAA term, no matter what of tier.
But in April 2019, OCR issued a Notice of Enforcement Discretion that reduced the annual caps for Tiers 1 through 3. Under that notice, OCR applies these annual limits:
| Tier | Statutory Annual Cap | OCR Enforcement Discretion Cap |
|---|---|---|
| 1 | $2,190,294 | $36,506 |
| 2 | $2,190,294 | $146,053 |
| 3 | $2,190,294 | $365,052 |
| 4 | $2,190,294 | $2,190,294 (unchanged) |
The enforcement discretion caps are OCR policy, not law. OCR can rescind that notice at any time and revert to the full statutory caps. But as of March 2026, the reduced caps are still in effect and are what OCR actually applies when issuing penalties.
Civil Penalties vs. Settlements: They’re Not the Same Thing
When you read headlines about HIPAA fines, you’re usually reading about one of two different things:
Civil monetary penalties (CMPs) are what OCR imposes when an group refuses to cooperate or can’t reach an agreement. These are the penalty tier amounts above, assessed unilaterally by OCR. They’re relatively rare — most cases settle.
Settlements are negotiated agreements where the group pays a lower amount and agrees to a corrective action plan. In 2024, OCR resolved 22 reviews through settlements or CMPs — and most were settlements. Gulf Coast Pain Consultants paid $1.1 million. Children’s Hospital Colorado paid over $500,000. Warby Parker paid $1.5 million as a CMP because they contested OCR’s findings.
The practical difference: if you cooperate with OCR, record your rule-keeping efforts, and negotiate in good faith, you’ll almost certainly settle for less than the statutory maximums. If you fight OCR or stonewall, CMPs get expensive.
Criminal HIPAA Penalties: A Separate Track
Civil fines from OCR are separate from criminal prosecution, which falls to the Department of Justice. Criminal penalties don’t get inflation-adjusted the same way:
- Unknowing breach: Up to 1 year in prison, up to $50,000 fine
- Under false pretenses: Up to 5 years in prison, up to $100,000 fine
- For commercial advantage, personal gain, or malicious harm: Up to 10 years in prison, up to $250,000 fine
Criminal prosecution is rare but not theoretical. Employees who access and sell patient data for identity theft have been charged. Providers who used PHI for personal financial gain have faced prison time.
State Attorneys General: The HIPAA Enforcement Risk Nobody Expects
Here’s one that catches people off guard: OCR isn’t the only group that can fine you for HIPAA breaches.
Under the HITECH Act, state attorneys general can bring civil actions on behalf of residents impacted by HIPAA breaches. They can impose fines up to $25,000 per breach category, per year — and these are on top of any OCR penalties.
In 2024, state AGs were active. Nine enforcement actions across five states resulted in $19.56 million in combined fines. New York has been especially aggressive — fining OrthopedicsNY $500,000 in 2025 over a breach affecting 656,000 people. California, Connecticut, Indiana, Massachusetts, Minnesota, New Jersey, and Pennsylvania have all taken direct action against HIPAA-regulated groups in recent years.
The trend is clear: state enforcement is increasing, and it operates independently from OCR. Getting a pass from OCR doesn’t protect you from your state AG.
What “Willful Neglect” Actually Looks Like in Practice
Tier 3 and Tier 4 hinge on “willful neglect,” and the term matters because it carries the highest penalties and is the only tier where OCR is required to look into (for Tiers 1 and 2, review is discretionary).
In practice, here’s what pushes groups into willful neglect territory:
- No risk review at all. Not an outdated one — literally none. OCR considers this the baseline of HIPAA rule-keeping, and its absence is strong evidence of willful neglect. Their Risk Analysis Initiative has already collected nearly $900,000 from eight groups on this point alone.
- No BAAs with vendors handling PHI. You knew vendors had your patient data and never executed an agreement. This is one of the most common BAA mistakes habits make.
- No team training. Staff handling PHI with zero HIPAA training.
- Ignoring known weak spots. Your own IT team flagged a problem and nobody fixed it.
- Prior OCR guidance ignored. OCR told you to fix something in a previous review and you didn’t.
The difference between Tier 3 and Tier 4 is simple: did you fix it within 30 days of being told? If yes, Tier 3. If no, Tier 4. That 30-day window is your last chance to avoid the worst penalties.
The HIPAA Fine Number That Actually Matters for Your Practice
Forget the $2.19 million maximum for a moment. The number that should be on your radar is $146,053.
That’s the enforcement discretion annual cap OCR applies for Tier 2 breaches — “fair cause.” It’s the tier that captures most small and mid-sized habits that end up in enforcement. Not because they were negligent in some dramatic way, but because they hadn’t gotten around to doing a current risk review, or their team training was a once-a-year checkbox exercise, or they had vendors handling patient data without a signed BAA.
A hundred and forty-six thousand dollars is a real number for a real practice. And it went up again this year.
Compare that to the cost of rule-keeping. A thorough risk review, updated policies, staff training, and proper vendor agreements can be done for a fraction of that amount. The math isn’t complicated.
Related Reading
- How to Run a Risk review That Won’t Get You Fined — The step-by-step process OCR expects you to follow
- $6.6 Million in HIPAA Fines in 2025: A Complete Breakdown — Where that money came from and what triggered each penalty
- The Business Associate Agreement Mistakes That Will Cost You — The contract gaps that move you from Tier 1 to Tier 3
- Why “Addressable” Doesn’t Mean “Optional” in HIPAA — The rule-keeping myth that leads to willful neglect findings
- The New HIPAA Security Rule Is Coming in 2026 — How the proposed rule changes will affect penalty exposure
Wondering where your practice falls on the rule-keeping spectrum? One Guy Consulting offers HIPAA rule-keeping packages starting at affordable — including risk reviews, policy written records, and staff training that keeps you in Tier 1 territory where the fines are lowest and OCR reviews are discretionary. Explore HIPAA rule-keeping services Complete a risk assessment