Civil penalties for HIPAA violations are civil monetary penalties assessed by the HHS Office for Civil Rights against HIPAA Covered Entities and Business Associates for violations of HIPAA administrative simplification provisions, with penalty amounts set by regulation using a tiered structure based on culpability and subject to a calendar-year cap for violations of the same requirement or prohibition.
The civil monetary penalty tiers apply to violations occurring on or after February 18, 2009 and use a minimum and maximum amount per violation based on whether the organization did not know and would not have known with reasonable diligence, whether the violation was due to reasonable cause, or whether the violation involved willful neglect that was corrected within the correction period. For penalties assessed on or after January 28, 2026 for violations occurring on or after November 2, 2015, the per-violation ranges are $145 to $73,011 for the first three tiers, with minimums of $145, $1,461, and $14,602 respectively, and a calendar-year cap of $2,190,294 for violations of the same requirement or prohibition. For willful neglect that is not corrected within the correction period, the minimum per-violation amount is $73,011 and the maximum per-violation amount is $2,190,294, with the same $2,190,294 calendar-year cap for violations of the same requirement or prohibition.
For violations occurring before February 18, 2009, a separate penalty structure applies, with a per-violation amount and a lower calendar-year cap. For penalties assessed on or after January 28, 2026 for violations occurring on or after November 2, 2015, the per-violation amount for these pre-February 18, 2009 violations is $198 and the calendar-year cap is $49,848.
The HHS Office for Civil Rights considers case-specific factors when determining whether to impose a civil monetary penalty and the amount, including the nature and extent of the violation, the nature and extent of harm, the organization’s compliance history, and other matters justice may require. Civil monetary penalties may be accompanied by corrective action obligations that require documented remediation of HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule compliance controls.