What are the HIPAA Violation Fines for Non-Compliance?

February 3, 2026 Christine Garcia HIPAA Compliance Advice

HIPAA violation fines for non-compliance include civil monetary penalties assessed by the Department of Health and Human Services Office for Civil Rights using tiered, inflation-adjusted dollar ranges per violation, and criminal fines that can be imposed for knowing and wrongful conduct involving individually identifiable health information.

Civil monetary penalties are tiered by culpability and are assessed per violation of a requirement or prohibition. For conduct where the covered entity or business associate did not know and would not have known with reasonable diligence, the per violation range is $145 to $73,011. For violations due to reasonable cause and not willful neglect, the per violation range is $1,461 to $73,011. For willful neglect that is corrected within the required period, the per violation range is $14,602 to $73,011. For willful neglect that is not corrected within the required period, the per violation range is $73,011 to $2,190,294. The inflation-adjusted calendar year cap for violations of an identical provision is $2,190,294.

The Office for Civil Rights has also applied an enforcement discretion approach that sets lower annual limits for tiers 1 through 3 while leaving the highest tier cap in place for willful neglect that is not corrected. Under that approach, the annual limit is $36,505.50 for the “did not know” tier, $146,053 for the reasonable cause tier, $365,052 for willful neglect that is corrected, and $2,190,294 for willful neglect that is not corrected. Financial exposure can also include settlement payments and required corrective action terms when matters are resolved through resolution agreements rather than a civil monetary penalty determination.

Criminal fines apply when a person knowingly and wrongfully obtains, uses, or discloses individually identifiable health information in violation of the statute. A basic offense can be punished by a fine up to $50,000, offenses under false pretenses can be punished by a fine up to $100,000, and offenses with intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm can be punished by a fine up to $250,000. These criminal fine amounts may be accompanied by imprisonment, and criminal cases are handled through the federal criminal process rather than the Office for Civil Rights civil penalty process.

About Christine Garcia 1246 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA
Twitter