HIPAA enforcement is not theoretical. The Office for Civil Rights has collected hundreds of millions of dollars in settlements and civil monetary penalties since the rules took effect. Investigations have targeted solo practitioners, regional hospital systems, and Fortune 500 insurers alike. The size of your organization does not protect you. The sincerity of your intentions does not protect you. Only a documented, functioning compliance program does.
In 2026, the enforcement landscape is more active than ever. OCR has increased its audit activity, breach reports continue to climb, and state attorneys general have stepped up parallel enforcement under HIPAA's state action provision. If you handle protected health information and you are not actively managing your compliance posture, you are carrying real financial and operational risk. This guide explains exactly what that risk looks like - from penalty tiers to the specific violations that trigger investigations - so you can take the right steps to reduce your exposure.
We cover the full violations taxonomy across the Privacy Rule, Security Rule, and Breach Notification Rule. We explain how civil penalties are calculated and when criminal charges become possible. We walk through the most common violations OCR encounters and what real enforcement actions have cost organizations like yours. If you want the short version, start with our HIPAA compliance checklist. If you want the full picture, read on.
The Four Civil Penalty Tiers
HIPAA's civil monetary penalty structure is tiered. The tier that applies to your violation depends on your culpability - specifically, what you knew or should have known, and whether you corrected the problem once you discovered it. Congress structured the tiers this way to distinguish honest mistakes from deliberate disregard of the rules.
The dollar amounts are adjusted periodically for inflation under the Federal Civil Penalties Inflation Adjustment Act. The figures below reflect the inflation-adjusted amounts established in 2024, which remain in effect through at least 2026 until the next adjustment cycle.
Tier 1: Did Not Know
This tier applies when the covered entity or business associate did not know - and by exercising reasonable diligence would not have known - that the act was a violation. The penalty range is $141 to $71,162 per violation, with an annual cap of $71,162 for identical violations within a calendar year.
This is the most lenient tier, but "did not know" is a narrow standard. OCR will look at whether you had any compliance infrastructure in place. If you had no policies, no training, and no risk assessment, you cannot credibly claim you were exercising reasonable diligence. The tier is designed for edge-case violations by otherwise-compliant organizations, not for organizations with no compliance program at all.
Tier 2: Reasonable Cause
This tier applies when the covered entity knew or should have known about the violation - but the violation did not involve willful neglect. The penalty range is $1,424 to $71,162 per violation, with an annual cap of $71,162 for identical violations.
Reasonable cause means there was some basis for knowing a violation could occur. If your staff accessed patient records without a job-related need and you had policies stating that was prohibited, OCR may argue you should have caught it through access monitoring. Reasonable cause penalties are the most common tier in OCR settlements.
Tier 3: Willful Neglect - Corrected
Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA. If the violation involved willful neglect but the covered entity corrected the problem within 30 days of discovery, this tier applies. The penalty range is $14,232 to $71,162 per violation, with an annual cap of $71,162 for identical violations.
The correction window matters here. Organizations that self-identify violations, report them promptly, and implement corrective action plans may benefit from this tier even when OCR would otherwise characterize the conduct as willful neglect. The message is clear: fix the problem fast once you know about it.
Tier 4: Willful Neglect - Not Corrected
This is the most serious civil penalty tier. It applies when the violation involved willful neglect and the covered entity did not correct the problem within the 30-day window. The penalty range is $71,162 to $2,134,831 per violation, with an annual cap of $2,134,831 for identical violations.
The annual cap for this tier means OCR can impose up to $2,134,831 for all violations of a single provision of HIPAA in a single calendar year. Multiply that across multiple violation categories - Privacy Rule, Security Rule, Breach Notification - and the theoretical maximum exposure is significant. For a sense of how these tiers translate into real settlements, see our analysis of HIPAA fines in 2026 and the historical record of HIPAA fines in 2025.
How Multiple Violations Are Counted
OCR counts violations per each instance of non-compliance - not per incident. A breach affecting 10,000 patients may be treated as 10,000 separate violations of the same provision. The annual caps provide some ceiling, but even capped amounts can be substantial. OCR has discretion in how it applies these rules, and settlement amounts are often negotiated well below theoretical maximums in exchange for cooperation and corrective action plans.
Most Common HIPAA Violations
OCR has published enforcement data and guidance over the years that makes clear which compliance failures it encounters most often. If you want to reduce your risk, these are the areas that deserve the most attention.
Failure to Conduct a Risk Assessment
The Security Rule requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. This is not optional and it is not a one-time task. It must be ongoing.
OCR cites failure to conduct a risk assessment - or failure to document one - in a large percentage of its investigations. The risk assessment is the foundation of your entire security program. Without it, you cannot demonstrate that your safeguards are proportionate to your actual risks. Without it, almost every security failure can be traced back to a documented gap in your compliance. Learn what a proper risk assessment involves at our guide to conducting a HIPAA risk assessment.
Unauthorized Access to PHI
Employees accessing patient records out of curiosity, personal interest, or for people they know is one of the most frequently cited Privacy Rule violations. HIPAA's minimum necessary standard requires covered entities to limit access to PHI to what is needed for an employee's job function. It also requires covered entities to have policies and procedures that identify who can access PHI, under what circumstances, and with what restrictions.
Workforce snooping violations often come to OCR's attention through patient complaints. Someone checks their own records and finds that a colleague - maybe a neighbor, a family member's friend, a coworker from a different department - viewed them. That complaint becomes an investigation. Preventing this requires access controls, audit logging, and a workforce culture that treats unauthorized access as a serious disciplinary matter.
Lack of Encryption
Encryption is an addressable implementation specification under the Security Rule, meaning covered entities must implement it unless they document a reasonable alternative. In practice, the failure to encrypt portable devices - laptops, USB drives, tablets - is the single most common fact pattern in OCR breach investigations. When an unencrypted laptop is stolen and you report the breach, OCR asks whether you had encryption. If the answer is no, you had better have a well-documented alternative measure.
Encryption of data at rest and data in transit has become standard industry practice. The cost of encryption tools is low. The cost of a breach involving an unencrypted device is not. Our HIPAA Security Rule compliance guide covers the encryption requirements in detail.
Insufficient Workforce Training
The Privacy Rule and Security Rule both require covered entities to train their workforce on HIPAA-related policies and procedures. Training must be provided to new staff and updated when policies change. It must be documented - OCR will ask for records showing who was trained, when, and on what content.
Generic annual compliance training that covers HIPAA in passing does not satisfy this requirement. Training must be specific to each workforce member's role and the types of PHI they handle. A front-desk scheduling coordinator and a network administrator have very different risk profiles and need different training content. Undocumented or role-agnostic training leaves you exposed when OCR reviews your compliance program.
Improper Disposal of Records
The Privacy Rule requires covered entities to apply reasonable safeguards to protect PHI, including during disposal. Paper records containing PHI must be shredded or otherwise rendered unreadable - not placed in regular recycling. Electronic media must be purged, degaussed, or physically destroyed before disposal. Records found in dumpsters, recycling bins, or at recycling centers have triggered multiple OCR investigations and settlements.
This is a violation that tends to be straightforward to prosecute. There is no ambiguity about whether the records were protected. If PHI ends up in accessible waste, the failure is documented. Establishing a proper disposal policy and training staff to follow it is inexpensive relative to the penalty exposure.
Failure to Have Business Associate Agreements
If you share PHI with a vendor, contractor, or service provider - and that third party creates, receives, maintains, or transmits PHI on your behalf - you need a signed Business Associate Agreement (BAA) before you share any data. This applies to your EHR vendor, your billing company, your cloud storage provider, your transcription service, your IT support firm, and many others.
OCR has taken the position that operating without required BAAs is itself a violation, separate from any breach that may occur. When a breach does occur through a business associate, OCR will investigate whether a BAA was in place. If it was not, the covered entity faces additional exposure. The good news is that BAAs are not complicated. Getting them in place is one of the easiest compliance wins available.
Denial of Patient Access to Records
The Privacy Rule gives patients the right to access their own medical records, typically within 30 days of a request. OCR has made patient access rights a priority enforcement area in recent years, and it has taken action against covered entities that denied access, charged excessive fees, or failed to respond to requests in a timely manner.
This is an area where solo and small practices get tripped up. A patient submits a records request. It gets lost in an administrative backlog. Nobody follows up. Thirty days pass. The patient files a complaint. OCR now has a documented failure to respond. Patient access enforcement actions have resulted in settlements across a wide range of organization sizes. Do not treat records requests as low-priority administrative tasks.
Criminal Penalties for HIPAA Violations
Most HIPAA enforcement is civil. But criminal penalties are available under 42 U.S.C. § 1320d-6 when a person knowingly obtains or discloses individually identifiable health information in violation of HIPAA. The Department of Justice, not OCR, handles criminal prosecution.
Three Criminal Tiers
Criminal penalties follow a three-tier structure based on intent and the purpose of the offense.
The base tier applies when someone knowingly uses or discloses PHI in violation of HIPAA. The penalty is a fine of up to $50,000 and imprisonment of up to one year.
The second tier applies when the offense was committed under false pretenses. The penalty increases to a fine of up to $100,000 and imprisonment of up to five years.
The third tier applies when the offense was committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm. The penalty is a fine of up to $250,000 and imprisonment of up to ten years.
Who Gets Charged
Individuals - not just organizations - face criminal exposure. Healthcare workers who access or sell patient records for personal gain have been prosecuted. Cases have involved employees selling patient data to marketing companies, accessing records of celebrities or family members out of curiosity, and stealing information for identity theft purposes.
Organizations can also face criminal prosecution under general federal conspiracy and fraud statutes when corporate conduct involves knowing HIPAA violations at scale. The DOJ coordinates with OCR and HHS's Office of Inspector General on these cases. Criminal referrals from OCR investigations do occur, though they are less common than civil resolutions.
The Distinction from Civil Cases
Criminal cases require knowing conduct - the defendant must have known the information was individually identifiable health information and known the disclosure was prohibited. This is a higher standard than the civil "should have known" standard in Tier 2 civil penalties. But it is not an impossibly high bar, particularly when an employee deliberately accessed records for personal reasons.
What Triggers an OCR Investigation
Understanding how investigations start helps you assess your actual risk exposure and prioritize your compliance investments. OCR opens investigations through four primary channels.
Patient and Workforce Complaints
The most common trigger is a complaint filed directly with OCR. Any individual can file a complaint at the OCR website if they believe their HIPAA rights were violated. Patients file complaints about denied records access, unauthorized disclosures, and Privacy Notice failures. Workforce members file complaints about retaliation for reporting HIPAA concerns. Former employees sometimes file complaints after termination.
OCR receives tens of thousands of complaints per year. Not all result in investigations - OCR triages and prioritizes. But complaints that describe specific, documented violations with clear evidence tend to get action. If a patient can show they requested records 60 days ago and received no response, that is an actionable complaint.
Breach Reports
The Breach Notification Rule requires covered entities to report breaches affecting 500 or more individuals to OCR without unreasonable delay and no later than 60 days after discovery. These large breaches are posted publicly on the OCR "Wall of Shame" and automatically draw scrutiny. OCR investigates a significant percentage of large breach reports, particularly when the breach facts suggest underlying security failures.
Breaches affecting fewer than 500 individuals must be reported to OCR annually. OCR reviews these smaller breaches and investigates when patterns emerge - for example, if a practice reports numerous small breaches over several years, suggesting systemic problems. Our HIPAA breach response plan guide covers the notification requirements and timelines in detail.
Compliance Reviews
OCR has authority to conduct proactive compliance audits and reviews independent of any complaint or breach. The HITECH Act directed HHS to conduct periodic audits of covered entities and business associates. OCR has conducted multiple audit rounds and has the authority to conduct targeted reviews of specific organizations or compliance topics.
Compliance reviews are less common than complaint-driven investigations, but they do happen. Organizations selected for audit receive formal notification and are required to produce documentation of their compliance program - policies, risk assessments, training records, BAAs, and more. Being unable to produce this documentation is itself a finding.
Media Reports and Public Information
OCR monitors news coverage of healthcare data incidents. If a breach is reported in the press before the covered entity notifies OCR, or if press coverage reveals facts that suggest HIPAA violations, OCR may open an investigation based on publicly available information. This is rare but has happened. It is another reason why internal breach response procedures should include rapid notification of compliance leadership before information reaches external channels.
Recent Enforcement Actions
The following settlements are real, documented OCR enforcement actions drawn from public OCR press releases. Dollar amounts and organization names reflect publicly reported figures.
Premera Blue Cross - $6.85 Million (2019)
Premera Blue Cross, a health plan operating in Washington and Alaska, settled with OCR for $6.85 million following a cyberattack that affected more than 10.4 million individuals. The attack began in May 2014 and was not discovered until January 2015. OCR's investigation found that Premera failed to conduct an enterprise-wide risk analysis, failed to implement risk management plans, and failed to review and modify security measures over time. The settlement included a robust corrective action plan. This case illustrates how a failure to perform foundational Security Rule requirements - particularly the risk analysis - amplifies the consequences of a breach event.
Advocate Medical Group - $5.55 Million (2016)
Advocate Medical Group, a physician practice network in Illinois, settled with OCR for $5.55 million after a breach affecting nearly 4 million patients. The breach involved the theft of unencrypted laptops from an administrative office. OCR found multiple Security Rule failures: lack of a comprehensive risk analysis, failure to implement policies to restrict physical access to electronic information systems, and failure to obtain required business associate agreements from an IT support firm. At the time, it was the largest OCR settlement with a physician practice.
Memorial Healthcare System - $5.5 Million (2017)
Memorial Healthcare System in Florida settled with OCR for $5.5 million following a workforce snooping incident that affected over 115,000 individuals. A workforce member's login credentials were used to access patient records without a treatment relationship. The investigation found that Memorial failed to implement sufficient procedures to regularly review information system activity - meaning nobody was monitoring access logs to catch the unauthorized access. The corrective action plan required Memorial to implement an audit control program and regularly review its audit logs.
Banner Health - $1.25 Million (2016)
Banner Health, an Arizona-based health system, agreed to pay $1.25 million to settle potential violations related to a cyberattack affecting approximately 3.7 million individuals. The attackers gained access to Banner Health's systems through its food and beverage payment processing system and then moved laterally to access PHI. OCR found insufficient technical safeguards to prevent unauthorized access to the network and PHI. The case is a useful reminder that third-party systems connected to your network can be vectors for compromise.
The Broader Pattern
Across these and other OCR settlements, a consistent pattern emerges. The underlying breach or violation may vary - a cyberattack, a stolen laptop, unauthorized employee access - but the OCR investigation almost always uncovers the same foundational failures: no risk analysis, no documented risk management plan, inadequate access controls, missing BAAs, and insufficient monitoring. Organizations that invest in these foundational elements dramatically reduce both their violation risk and their settlement exposure when incidents do occur. Our guide to HIPAA documentation requirements covers what you need to have on file.
State Attorney General Enforcement
Federal OCR enforcement gets most of the attention, but HIPAA also authorizes state attorneys general to bring civil actions on behalf of state residents for violations of HIPAA's Privacy and Security Rules. This enforcement authority was created by the HITECH Act in 2009.
How State AG Actions Work
A state AG can sue a covered entity or business associate in federal district court for injunctive relief and damages of up to $25,000 per violation per calendar year per violation category. The AG must give notice to the HHS Secretary before proceeding, and the Secretary can intervene if an OCR action is already pending.
State AG actions are less common than OCR actions but they do happen. Connecticut, Minnesota, New York, and several other states have brought actions. State AGs tend to act when a breach affects a significant number of their state's residents and the covered entity is based in their jurisdiction or does substantial business there.
Parallel Exposure
The key risk with state AG actions is parallel exposure. An organization facing an OCR investigation can simultaneously face a state AG action for the same underlying conduct. The federal annual caps on civil monetary penalties do not limit state AG recoveries. And some states have enacted state-level health privacy laws that provide additional enforcement authority with separate penalty structures.
California, New York, and Texas have active healthcare privacy enforcement at the state level. If you operate in multiple states or your breach affects residents in multiple jurisdictions, your compliance team needs to track state-level obligations alongside federal HIPAA requirements.
State Law Interaction
Where state law is more protective than HIPAA, the more protective standard applies. This is known as HIPAA preemption with exception - HIPAA preempts less protective state laws but does not preempt state laws that provide greater protections. In practice, this means that in some states you may need to comply with stricter consent requirements, shorter breach notification windows, or more restrictive data sharing rules than HIPAA requires on its own.
How to Protect Your Practice
The good news is that most OCR enforcement actions - and most large breach events - involve a small set of recurring compliance failures. Address these systematically and you substantially reduce your exposure.
Conduct and Document a Risk Assessment
Start here. The Security Rule risk assessment is the foundation of everything else. It identifies where your ePHI lives, what risks exist, and what safeguards are proportionate to those risks. It must be documented and it must be updated when your environment changes - new systems, new vendors, new workflows, staff turnover in key roles. OCR will ask to see your risk assessment in any investigation. If you do not have one, fix this first. Our risk assessment guide walks through the process step by step.
Implement a Risk Management Plan
A risk assessment without a risk management plan is a document that proves you knew about your vulnerabilities. Implement the safeguards your risk assessment identifies as necessary. Document what you implemented, when, and who is responsible for maintaining it. Review the plan at least annually and after significant changes.
Train Your Workforce - Specifically
Generic annual compliance training is not enough. Role-specific HIPAA training must cover the types of PHI each employee handles, the specific risks associated with their job function, your organization's policies, and the consequences of violations. Document training completion. Conduct refresher training when policies change. Discipline staff consistently when violations occur - inconsistent enforcement undermines the deterrent effect of your training program.
Execute Business Associate Agreements
Inventory every vendor that touches PHI. Execute BAAs with all of them before sharing any data. Review existing BAAs to confirm they include all required elements - many BAAs signed in the early HITECH years are missing updated breach notification provisions. Revisit your BAA inventory annually. Vendor relationships change, and a BAA signed with a company five years ago may not cover new services that company now provides.
Implement Access Controls and Audit Logging
Limit access to PHI based on job function. Implement unique user IDs so you can attribute access to individuals. Enable audit logging and review logs regularly - not just after an incident. Access monitoring catches workforce snooping before it becomes a breach report. It also provides evidence that you were exercising reasonable oversight if a violation is later discovered.
Encrypt Portable Devices and Data in Transit
Full-disk encryption on laptops and mobile devices is a baseline safeguard. Encryption of ePHI transmitted over open networks is required unless you document a reasonable alternative. The investment is minimal. The risk reduction is significant. This single control eliminates the breach notification obligation in most portable device theft scenarios.
Have a Breach Response Plan
When a breach occurs, you need to respond quickly and correctly. Your breach response plan should identify who is responsible for each step, what constitutes a reportable breach, the 60-day notification timeline for large breaches, the patient notification requirements, and the annual small breach reporting process. Practice the plan before you need it. Our breach response guide covers the full process.
Understand Your Compliance Costs
HIPAA compliance has real costs - staff time, training systems, audit tools, consultant fees, and more. But the cost of non-compliance is higher. Our guide to HIPAA compliance cost breakdown helps you budget accurately and understand where investment is most effective. If you are not sure where your program stands today, a HIPAA gap analysis is the fastest way to find out what you are missing.
Frequently Asked Questions
What is the minimum HIPAA penalty?
The minimum civil monetary penalty under HIPAA depends on the tier. For Tier 1 (Did Not Know), the minimum is $141 per violation. For Tier 2 (Reasonable Cause), it is $1,424. For Tier 3 (Willful Neglect - Corrected), it is $14,232. For Tier 4 (Willful Neglect - Not Corrected), it is $71,162. These are the 2024 inflation-adjusted figures in effect through 2026. Note that OCR has discretion to reduce penalties based on the nature and extent of the violation and the harm it caused.
Can an individual employee be personally penalized for HIPAA violations?
Yes. Criminal penalties under 42 U.S.C. § 1320d-6 apply to individuals who knowingly obtain or disclose PHI in violation of HIPAA. Employees who access records without authorization, sell patient data, or commit fraud using PHI have been criminally prosecuted. Employees can also face civil liability through state-law claims, and they can be disciplined or terminated by their employer. HIPAA is not just an organizational obligation - it applies to individuals acting on their own, outside the scope of their employment.
How long does OCR have to investigate a HIPAA complaint?
The statute of limitations for HIPAA civil monetary penalties is six years from the date of the violation, or six years from the date the Secretary could reasonably have been expected to know about the violation. This means OCR can investigate violations that occurred years before a complaint was filed or a breach was discovered. Retaining compliance documentation for at least six years is essential - and the HIPAA records retention requirement for many compliance documents is also six years.
What happens if OCR investigates and finds no violation?
OCR closes the investigation and issues a closure letter. If OCR finds technical violations but determines that no further action is warranted - for example, the organization has already corrected the problem and implemented safeguards - it may close the case with a finding of violation but no civil monetary penalty. OCR also has discretion to reduce or waive penalties for violations that are promptly corrected or where the covered entity demonstrates good faith compliance efforts. Cooperation, transparency, and documented corrective action all work in your favor during an investigation.
Does HIPAA apply to small practices?
Yes. HIPAA applies to any covered entity - including solo and small medical, dental, and mental health practices - that transmits any health information in electronic form in connection with certain transactions, including claims, referrals, and eligibility inquiries. Most practices that bill insurance electronically are covered entities. Size does not create an exemption, though OCR does have discretion in how it applies penalties and may consider organizational resources in determining penalty amounts. Our violations prevention guide covers the most important steps for small practices. For a comprehensive starting point, review our HIPAA compliance checklist and our a-la-carte compliance tools designed for practices at every size.
Conclusion
HIPAA violations carry real consequences - six- and seven-figure settlements, criminal prosecution for individuals, and the operational disruption of a federal investigation. The organizations that face the most serious enforcement outcomes share a common characteristic: they did not have the foundational compliance elements in place when something went wrong. No risk assessment. No documented policies. No BAAs. No training records. When OCR looked, there was nothing to show.
The flip side is equally clear. Organizations that invest in their compliance programs - that conduct regular risk assessments, train their workforces properly, maintain their documentation, and execute their vendor agreements - are in a substantially better position both to prevent violations and to defend themselves when incidents occur. Compliance is not a guarantee against incidents. It is the difference between an incident that is manageable and one that becomes an enforcement action.
If you do not know where your program stands today, start with a gap analysis. If you know you have gaps but are not sure how to prioritize, our compliance tools are designed to help practices at every stage build a defensible program without building a compliance department from scratch. Visit our HIPAA gap analysis page to see where you stand, or review our a-la-carte options to address specific needs. The cost of getting compliant is a fraction of the cost of getting caught.