Key Takeaways
- HIPAA violation penalties range from $141 to $2,134,831 per violation in 2026, with annual maximums up to $2,134,831 per violation category. Criminal penalties can include up to 10 years in prison.
- The Office for Civil Rights (OCR) enforced over $4.2 million in HIPAA penalties in 2024 alone, and enforcement has intensified every year since 2019.
- The most common violations that trigger penalties are failure to conduct a risk assessment, lack of encryption, insufficient access controls, and delayed breach notification.
- Small and mid-size healthcare organizations are not exempt. OCR has penalized solo practitioners, small clinics, and business associates — not just large hospital systems.
- Software vendors, IT companies, cloud providers, and any entity handling PHI are liable as business associates under HIPAA. If you build or manage healthcare software, these penalties apply to you.
1. HIPAA Penalty Structure Explained
HIPAA penalties fall into two categories: civil monetary penalties (CMPs) enforced by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and criminal penalties enforced by the Department of Justice (DOJ).
Civil penalties are far more common. They are issued for violations of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. These penalties apply to covered entities (healthcare providers, health plans, healthcare clearinghouses) and business associates (any vendor, contractor, or subcontractor that handles Protected Health Information on behalf of a covered entity).
Criminal penalties are reserved for cases involving willful neglect, theft of PHI, or deliberate misuse of patient data. These are less common but carry severe consequences including prison time.
The penalty amounts are adjusted annually for inflation by HHS. The figures in this guide reflect the 2026 adjusted amounts.
2. 2026 Adjusted Penalty Amounts
HHS adjusts HIPAA civil monetary penalties annually based on the Federal Civil Penalties Inflation Adjustment Act. Here are the current 2026 penalty ranges:
| Penalty Tier | Per Violation | Annual Maximum Per Violation Category |
|---|---|---|
| Tier 1: Did Not Know | $141 – $71,162 | $2,134,831 |
| Tier 2: Reasonable Cause | $1,424 – $71,162 | $2,134,831 |
| Tier 3: Willful Neglect (Corrected) | $14,232 – $71,162 | $2,134,831 |
| Tier 4: Willful Neglect (Not Corrected) | $71,162 – $2,134,831 | $2,134,831 |
Important: These are per-violation amounts. A single data breach affecting 10,000 patients could be treated as 10,000 individual violations. A systemic compliance failure (like never conducting a risk assessment) can be treated as a separate violation for every day it persisted. This is how penalties reach millions of dollars.
3. The Four Tiers of HIPAA Civil Penalties
Tier 1: Did Not Know
The covered entity or business associate did not know about the violation and could not have known even with reasonable diligence.
Penalty range: $141 – $71,162 per violation
Example: A healthcare provider’s EHR vendor had a previously unknown software vulnerability that exposed PHI. The provider had conducted regular risk assessments, had proper security controls in place, and had no way to detect the vulnerability before it was exploited.
Reality check: This tier is rarely applied. OCR typically finds that organizations should have known about their vulnerabilities through proper risk assessments and security monitoring. Claiming ignorance is difficult when you never conducted a risk assessment in the first place.
Tier 2: Reasonable Cause
The violation was due to reasonable cause and not willful neglect. The organization knew or should have known about the issue but the failure was not due to intentional disregard.
Penalty range: $1,424 – $71,162 per violation
Example: A clinic conducted a risk assessment two years ago but failed to update it after migrating to a new cloud-based EHR system. The migration introduced new security gaps that led to a breach. The clinic was not intentionally negligent but failed to reassess risk after a significant change.
Tier 3: Willful Neglect — Corrected Within 30 Days
The violation resulted from willful neglect of HIPAA requirements, but the organization corrected the violation within 30 days of discovery.
Penalty range: $14,232 – $71,162 per violation
Example: An organization knew its patient portal lacked encryption but delayed implementing it due to budget constraints. After a breach occurred, they encrypted the portal within 30 days. The knowledge of the gap combined with failure to act constitutes willful neglect, but the timely correction reduces the penalty tier.
Tier 4: Willful Neglect — Not Corrected
The violation resulted from willful neglect and was not corrected within 30 days. This is the most severe tier.
Penalty range: $71,162 – $2,134,831 per violation
Example: An organization was notified by OCR of HIPAA compliance deficiencies during an investigation. The organization failed to implement the required corrective actions within the specified timeframe. Or an organization knowingly operated without a risk assessment, without encryption, and without access controls for years despite being aware of HIPAA requirements.
This tier is where multi-million dollar penalties originate.
4. HIPAA Criminal Penalties
Criminal penalties are enforced by the Department of Justice and apply to individuals, not just organizations. Any person who knowingly obtains or discloses PHI in violation of HIPAA can face criminal charges.
| Offense Level | Maximum Fine | Maximum Prison Sentence |
|---|---|---|
| Knowingly obtaining/disclosing PHI | $50,000 | 1 year |
| Obtaining PHI under false pretenses | $100,000 | 5 years |
| Obtaining PHI for personal gain, malicious intent, or commercial advantage | $250,000 | 10 years |
Who can be criminally charged:
- Healthcare employees who access patient records without authorization (snooping)
- Individuals who steal patient data for identity theft or fraud
- Employees who sell PHI to third parties
- Anyone who obtains PHI through deception or social engineering
Criminal HIPAA cases are less common than civil penalties but they do happen. Notable cases have involved hospital employees accessing celebrity medical records, clinic staff stealing patient data for identity fraud, and insiders selling PHI to personal injury attorneys.
5. Who Enforces HIPAA and How Investigations Start
Office for Civil Rights (OCR)
OCR is the primary HIPAA enforcement agency within HHS. They investigate complaints, conduct compliance reviews, and issue civil monetary penalties.
How OCR investigations begin:
Breach reports. Any breach of unsecured PHI affecting 500 or more individuals must be reported to OCR within 60 days. Breaches affecting fewer than 500 individuals must be reported annually. Every breach report is reviewed by OCR and may trigger an investigation.
Complaints. Anyone — patients, employees, former employees, business partners — can file a HIPAA complaint with OCR. Complaints are reviewed and prioritized based on severity and the organization’s compliance history.
Compliance reviews. OCR conducts proactive audits and compliance reviews independent of complaints or breaches. These can be random or targeted based on industry trends and risk factors.
Media reports. High-profile breaches covered in the media often trigger OCR investigations even before formal breach reports are filed.
Investigation Process
- OCR receives a complaint or breach notification
- OCR reviews and determines if an investigation is warranted
- OCR notifies the organization and requests documentation
- The organization must provide policies, procedures, risk assessments, training records, and technical documentation
- OCR reviews the documentation and may conduct on-site visits
- OCR determines if violations occurred and which penalty tier applies
- OCR may offer a resolution agreement (settlement) or proceed to formal penalty
Most cases are resolved through resolution agreements that include a monetary settlement and a corrective action plan (CAP) that the organization must follow for 1–3 years under OCR monitoring.
6. Most Common Violations That Trigger Penalties
Based on OCR enforcement actions from 2020–2025, these are the violations most frequently cited in penalty cases:
Failure to Conduct a Risk Assessment
This is the single most cited violation in OCR enforcement actions. HIPAA requires covered entities and business associates to conduct a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
A risk assessment is not a one-time checkbox. It must be updated whenever there are significant changes to your environment (new systems, new vendors, new processes) and reviewed at least annually.
What OCR looks for: A documented, comprehensive risk assessment that identifies all systems containing ePHI, evaluates threats and vulnerabilities, assesses current security controls, and determines the likelihood and impact of potential risks.
Lack of Encryption
Encryption is an “addressable” requirement under the HIPAA Security Rule, which means you must implement it unless you can document why an equivalent alternative is appropriate. In practice, there is almost never a valid reason not to encrypt ePHI.
What triggers penalties: Unencrypted laptops, mobile devices, or portable media that are lost or stolen. Unencrypted data transmission (email, file transfers, API calls without TLS). Unencrypted database storage.
Insufficient Access Controls
HIPAA requires that access to ePHI be limited to the minimum necessary for each user’s job function. This means role-based access controls, unique user IDs, automatic session timeout, and emergency access procedures.
What triggers penalties: Shared login credentials, excessive access privileges, no automatic logoff, failure to terminate access for former employees, and lack of audit logs showing who accessed what.
Failure to Have a BAA
Every business associate relationship must be governed by a Business Associate Agreement (BAA) that specifies how the business associate will protect PHI. Operating without a BAA is a violation for both the covered entity and the business associate.
What triggers penalties: Using a cloud provider, IT vendor, billing company, or software developer that handles PHI without a signed BAA. This is one of the easiest violations for OCR to identify and penalize.
Delayed Breach Notification
HIPAA requires notification to affected individuals within 60 days of discovering a breach. Breaches affecting 500+ individuals must also be reported to OCR and prominent media outlets within 60 days.
What triggers penalties: Discovering a breach and waiting months to notify affected individuals. Failing to notify OCR within the required timeframe. Inadequate breach notification content (the notification must include specific information about the breach, the types of PHI involved, and steps individuals can take to protect themselves).
Lack of Audit Controls
HIPAA requires mechanisms to record and examine activity in systems that contain or use ePHI. This includes access logs, authentication logs, and security event logs.
What triggers penalties: No audit logging implemented, audit logs not reviewed regularly, audit logs that can be modified or deleted, and insufficient log retention (HIPAA requires six-year retention of security documentation).
7. Recent HIPAA Enforcement Actions and Settlements
These real enforcement actions illustrate how OCR applies penalties:
Large Health System Settlements
Major health systems have paid settlements ranging from $1 million to $16 million for violations including lack of risk assessment, insufficient encryption, unauthorized access to patient records, and delayed breach notification. The largest HIPAA settlement to date was $16 million against a major health insurance company for a breach affecting 78.8 million individuals.
Small Practice Penalties
OCR does not only target large organizations. Penalties against small practices have included settlements in the $100,000–$500,000 range for failures such as not having a risk assessment, not encrypting portable devices, and improperly disposing of patient records. A solo dental practice was fined over $10,000 for failing to provide a patient with their medical records within the required timeframe.
Business Associate Penalties
Business associates — including IT companies, cloud providers, billing services, and software vendors — have faced penalties for breaches caused by insufficient security controls, failure to have their own HIPAA compliance programs, and operating without proper BAAs.
This is directly relevant to healthcare software development companies. If you build, host, or maintain software that touches PHI, you are a business associate and these penalties apply to you.
Right of Access Penalties
Since 2019, OCR has aggressively enforced patients’ right to access their medical records under the HIPAA Privacy Rule. Over 45 enforcement actions have been taken against providers who failed to provide patients with their records within the required 30-day timeframe. Penalties have ranged from $3,500 to $240,000.
8. State Attorney General HIPAA Enforcement
The HITECH Act gave state attorneys general the authority to bring civil actions for HIPAA violations on behalf of state residents. This creates a second layer of enforcement beyond OCR.
Why this matters: State attorneys general can pursue HIPAA cases independently of OCR. An organization can face penalties from both OCR and one or more state attorneys general for the same breach. State AG offices have been increasingly active in HIPAA enforcement, particularly for breaches affecting large numbers of state residents.
Notable state enforcement trends:
- Multiple states have pursued joint actions against organizations for breaches affecting residents across state lines
- State penalties have ranged from $100,000 to $74 million (combined with state consumer protection law violations)
- State AGs often pursue cases that OCR does not, particularly those involving state consumer protection and data breach notification law violations in addition to HIPAA
State-specific breach notification laws add additional penalty exposure. Most states have their own breach notification requirements that may be stricter than HIPAA’s. Failure to comply with state laws creates separate penalty liability on top of HIPAA penalties.
9. Business Associate Liability
If your organization handles PHI on behalf of a covered entity — as a software developer, cloud hosting provider, IT managed service provider, billing company, or any other service provider — you are a business associate under HIPAA.
What Business Associates Are Required to Do
- Sign a BAA with every covered entity you serve
- Conduct your own HIPAA risk assessment
- Implement administrative, physical, and technical safeguards for ePHI
- Report breaches to the covered entity without unreasonable delay (typically within 60 days, though many BAAs require shorter timeframes)
- Train your workforce on HIPAA requirements
- Maintain HIPAA documentation for at least six years
- Extend HIPAA requirements to your subcontractors through subcontractor BAAs
Business Associate Penalty Exposure
Business associates face the same civil and criminal penalties as covered entities. There is no reduced penalty tier for business associates. If your software product causes a breach due to insufficient security controls, your organization can be penalized directly by OCR.
Additionally, the covered entity you serve may pursue contractual damages against you under the BAA. Many BAAs include indemnification clauses that make the business associate financially responsible for breach-related costs including notification, credit monitoring, legal fees, and regulatory penalties.
For software development companies, this means HIPAA compliance is not just about your clients’ obligations — it is about your own legal and financial exposure.
10. How Penalties Are Calculated
OCR considers multiple factors when determining the penalty amount within a given tier:
Nature and extent of the violation. How severe was the violation? How many individuals were affected? Was PHI actually accessed or misused, or was it potentially exposed without confirmed access?
Nature and extent of the harm. Did the breach result in identity theft, financial harm, or reputational damage to affected individuals? Was there physical harm (in cases involving substance abuse, mental health, or HIV/AIDS records)?
Organization’s compliance history. Has the organization been investigated or penalized before? Does the organization have a documented compliance program? How cooperative was the organization during the investigation?
Financial condition of the organization. OCR can consider an organization’s ability to pay when setting penalty amounts. Small organizations may receive lower penalties than large health systems for similar violations, but they are not exempt.
Willfulness of the violation. Was the violation an honest mistake, a result of negligence, or intentional? Organizations that knowingly disregarded HIPAA requirements face the highest penalties.
Cooperation with OCR. Organizations that cooperate fully with investigations, implement corrective actions promptly, and demonstrate good faith efforts to comply typically receive lower penalties than those that resist or delay.
Corrective actions taken. What steps did the organization take after discovering the violation? Prompt breach notification, immediate security remediation, and proactive implementation of additional safeguards can reduce penalty amounts.
11. How to Protect Your Organization
Conduct and Maintain a Risk Assessment
This is the single most important compliance activity. A current, comprehensive risk assessment demonstrates to OCR that your organization takes HIPAA seriously and is actively managing risk.
Your risk assessment must cover all systems, applications, and processes that create, receive, maintain, or transmit ePHI. It must identify threats and vulnerabilities, evaluate current security controls, determine the likelihood and impact of potential risks, and document risk mitigation plans.
Update your risk assessment at least annually and whenever there are significant changes to your environment — new software systems, new vendors, office relocations, cloud migrations, or organizational changes.
Implement Encryption Everywhere
Encrypt ePHI at rest (in databases, file storage, backups) and in transit (all network communications, email, API calls, file transfers). Use AES-256 for data at rest and TLS 1.2 or higher for data in transit.
Encryption is the single most effective technical safeguard against breach penalties. Under the HIPAA Breach Notification Rule, if breached data was encrypted in accordance with NIST standards, it is not considered “unsecured PHI” and breach notification is not required. Encryption essentially converts a reportable breach into a non-reportable security incident.
Enforce Access Controls
Implement role-based access controls that limit each user’s access to the minimum PHI necessary for their job function. Require unique user IDs, strong passwords, and multi-factor authentication. Implement automatic session timeout. Disable access immediately when employees leave the organization.
Maintain Audit Logs
Log all access to systems containing ePHI. Include who accessed what, when, from where, and what actions they took. Review logs regularly for unauthorized access patterns. Retain logs for at least six years. Use immutable logging that prevents log tampering.
Execute BAAs with All Vendors
Identify every vendor, contractor, and subcontractor that accesses PHI on your behalf. Execute a BAA with each one before they access any PHI. Review and update BAAs periodically. Verify that your business associates have their own HIPAA compliance programs.
Train Your Workforce
HIPAA requires training for all workforce members who handle PHI. Training must cover HIPAA privacy and security requirements, your organization’s specific policies and procedures, how to identify and report security incidents, and the consequences of HIPAA violations.
Document all training with dates, attendees, and content covered. Conduct refresher training at least annually and whenever there are significant policy changes.
Prepare a Breach Response Plan
Have a documented breach response plan before you need it. The plan should include how to identify and contain a breach, how to assess the scope and severity, notification procedures and timelines, roles and responsibilities for the response team, communication templates for affected individuals, and OCR reporting procedures.
Test your breach response plan at least annually through tabletop exercises.
12. HIPAA Risk Assessment Requirements
Because failure to conduct a risk assessment is the most commonly cited violation in OCR enforcement actions, this topic deserves detailed attention.
What HIPAA Requires
The HIPAA Security Rule (45 CFR § 164.308(a)(1)(ii)(A)) requires covered entities and business associates to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
What a Compliant Risk Assessment Includes
Asset inventory: Identify all systems, applications, devices, and locations where ePHI is created, received, maintained, or transmitted. This includes EHR systems, patient portals, mobile devices, email systems, cloud services, backup systems, and paper records.
Threat identification: Identify potential threats to each asset. Threats include natural threats (fire, flood, power outage), human threats (hackers, malicious insiders, accidental disclosure), and environmental threats (hardware failure, software bugs, network outages).
Vulnerability assessment: Identify weaknesses that could be exploited by threats. This includes technical vulnerabilities (unpatched software, weak encryption, misconfigured firewalls), administrative vulnerabilities (lack of policies, insufficient training, no incident response plan), and physical vulnerabilities (unsecured server rooms, unattended workstations, improper disposal).
Current controls evaluation: Document the security controls currently in place for each asset. Evaluate whether existing controls adequately address identified threats and vulnerabilities.
Likelihood determination: Assess the probability that each identified threat will exploit a vulnerability, considering current controls. Use a consistent rating scale (high, medium, low).
Impact analysis: Assess the potential impact if a threat successfully exploits a vulnerability. Consider impact to confidentiality, integrity, and availability of ePHI, as well as financial, reputational, and legal consequences.
Risk level determination: Combine likelihood and impact ratings to determine the overall risk level for each threat-vulnerability pair.
Risk mitigation plan: For each identified risk, document the planned action: mitigate (implement additional controls), accept (document the rationale for accepting the risk), transfer (obtain cyber insurance), or avoid (eliminate the activity creating the risk).
Common Risk Assessment Mistakes
Using a generic template without customization. A risk assessment must be specific to your organization, your systems, and your workflows. Generic checklists are not sufficient.
Conducting the assessment once and never updating it. HIPAA requires ongoing risk management. Your assessment must be updated when your environment changes and reviewed at minimum annually.
Limiting scope to technical systems only. Risk assessments must cover administrative and physical safeguards as well, including policies, training, physical security, and workforce management.
Not documenting the assessment. If it is not documented, it did not happen as far as OCR is concerned. The risk assessment, findings, and remediation plans must be in writing and retained for six years.
If you need help building HIPAA-compliant software systems with proper risk assessment integration, working with an experienced healthcare IT team is critical.
Next Steps
HIPAA penalties are not theoretical — they are real, growing, and increasingly enforced against organizations of all sizes. The cost of compliance is always lower than the cost of a violation.
The most effective protection is a proactive compliance program built on a thorough risk assessment, proper technical safeguards, documented policies and procedures, and ongoing workforce training.
If your organization is building or maintaining healthcare software and needs to ensure HIPAA compliance is built into your systems from the ground up, talk to our healthcare compliance team or explore our HIPAA-compliant development services.
Related Resources:
- HIPAA-Compliant Application Development
- How to Choose a Healthcare Software Development Company
- Healthcare Software Development Cost: Complete Pricing Breakdown
- Epic EHR Integration Guide
- Healthcare IT Solutions
- Healthcare Case Studies
Taction Software is a US-based healthcare IT company specializing in HIPAA-compliant software development, EHR integration, and Mirth Connect consulting. Contact us to discuss your healthcare compliance requirements.
Frequently Asked Questions
The maximum civil penalty is $2,134,831 per violation category per year (2026 adjusted amount). However, a single breach can involve multiple violation categories (privacy, security, breach notification), and each category can be penalized separately. Combined with state attorney general actions, total penalties for a single breach can exceed $10 million.
Individual employees cannot receive civil monetary penalties from OCR — those are assessed against the organization. However, individuals can face criminal penalties from the DOJ including fines up to $250,000 and up to 10 years in prison for knowingly violating HIPAA.
No. HIPAA applies to all covered entities and business associates regardless of size. OCR has penalized solo practitioners, small clinics, and individual providers. The penalty amount may be adjusted based on the organization’s financial condition, but there is no exemption.
The most common triggers are breach reports (mandatory for breaches of unsecured PHI), patient complaints filed with OCR, employee or whistleblower complaints, media coverage of a potential breach, and proactive OCR compliance audits.
OCR investigations typically take 1–3 years from initial notification to resolution. Complex cases can take longer. During the investigation, the organization must provide documentation, respond to inquiries, and potentially implement corrective actions.
Some cyber insurance policies cover regulatory fines and penalties, but coverage varies significantly by policy and jurisdiction. Some states prohibit insurance coverage for regulatory penalties. Review your policy carefully and consult with your insurance broker and legal counsel.
Most HIPAA enforcement actions are resolved through resolution agreements (settlements) rather than formal penalties. A settlement typically includes a monetary payment and a corrective action plan (CAP) that the organization must follow for 1–3 years. Settlements are generally lower than the maximum penalty amounts and allow the organization to resolve the matter without admitting liability.
Yes, if the software company handles PHI. Software developers, cloud hosting providers, IT service providers, and any other entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a business associate under HIPAA. Business associates face the same penalties as covered entities. See our guide on choosing a healthcare software development company for more on evaluating HIPAA compliance capabilities.
