Penalties for non-compliance with HIPAA include civil money penalties and corrective action requirements imposed by the HHS Office for Civil Rights, breach notification obligations under the HIPAA Breach Notification Rule when unsecured protected health information is compromised, and criminal penalties for individuals who knowingly obtain or disclose protected health information in violation of federal law. Enforcement outcomes can also include multi-year monitoring, required policy and control changes, and settlement payments through resolution agreements.
Civil money penalties are determined under a four-tier structure based on culpability. For penalties assessed on or after January 28, 2026, the per-violation ranges used in federal penalty updates are $145 to $73,011 for tier 1, $1,461 to $73,011 for tier 2, $14,602 to $73,011 for tier 3, and $73,011 to $2,190,294 for tier 4. Annual limits also apply per requirement or prohibition, and the inflation-adjusted annual cap for an identical provision is $2,190,294, while HHS has also applied enforcement discretion that limits annual caps in lower tiers in certain cases based on its interpretation of statutory language.
Non-monetary consequences are common in HHS Office for Civil Rights enforcement actions. Corrective action plans can require a documented risk analysis and risk management program, revised HIPAA Security Rule and HIPAA Privacy Rule policies and procedures, staff HIPAA training, access control and audit control enhancements, vendor governance actions, and periodic reporting to HHS over a defined monitoring period. Organizations can incur separate costs for incident response, forensic work, patient communications, system remediation, and contractual disputes with vendors.
Criminal penalties apply to individuals, not organizations, when conduct meets federal criminal standards, and penalties increase when protected health information is obtained or disclosed under false pretenses or with intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm. State attorneys general can also bring civil actions in some circumstances, and professional licensing, employment actions, and contractual remedies may follow when workforce members or vendors violate organizational policies or business associate obligations.