medcomply.ai
Intel
HIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000 — A Warning Every HR Department Needs to Read · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis — 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2 — What Behavioral Health Providers Must Know Now · Rule Update15 Million Records Exposed — MMG Fusion Settlement Shows Business Associates Are Squarely in OCR's Crosshairs · OCR EnforcementOCR Expands Enforcement to Risk Management — What Changed in 2026 and What You Must Do Now · Rule UpdateOCR Issues $1.165 Million in Ransomware Penalties — Four Settlements in One Day · OCR EnforcementThe HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000 — A Warning Every HR Department Needs to Read · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis — 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2 — What Behavioral Health Providers Must Know Now · Rule Update15 Million Records Exposed — MMG Fusion Settlement Shows Business Associates Are Squarely in OCR's Crosshairs · OCR EnforcementOCR Expands Enforcement to Risk Management — What Changed in 2026 and What You Must Do Now · Rule UpdateOCR Issues $1.165 Million in Ransomware Penalties — Four Settlements in One Day · OCR EnforcementThe HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security Rule

OCR Enforcement

2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs

TL;DR

HHS published updated HIPAA civil money penalty amounts in the Federal Register on January 28, 2026, adjusted for inflation using the 2025 multiplier of 1.02598. The 2026 penalty amounts range from $145 per violation at the lowest tier to $2,190,294 per violation at the highest tier. OCR continues to apply a 2019 enforcement discretion policy that lowers annual caps for Tiers 1 through 3.

HHS published updated HIPAA civil money penalty amounts in the Federal Register on January 28, 2026, adjusted for inflation using the 2025 multiplier of 1.02598. The 2026 penalty amounts range from $145 per violation at the lowest tier to $2,190,294 per violation at the highest tier. OCR continues to apply a 2019 enforcement discretion policy that lowers annual caps for Tiers 1 through 3.

HHS published updated HIPAA civil money penalty amounts effective January 2026. Here are the current figures for all four violation tiers and what they mean for your compliance program.

medcomply.ai editorial teamPublished May 8, 2026Updated May 8, 20266 min read

Every January, HHS publishes updated HIPAA civil money penalty amounts adjusted for inflation. The 2026 figures — published in the Federal Register on January 28, 2026 — are now in effect for all HIPAA enforcement actions. Here are the current numbers every compliance officer needs to know.

2026 HIPAA penalty amounts by tier

The penalty amounts are adjusted annually to account for the cost-of-living increases. The last update, published in the Federal Register on January 28, 2026, applies to all financial penalties imposed after November 2, 2015. The inflation multiplier for 2025 set by the Office of Management and Budget was 1.02598.

45 CFR §160.404

Tier 1 — Did not know The covered entity or business associate did not know and would not have known of the violation through reasonable diligence.

  • Per violation: $145 to $73,011
  • Annual cap (OCR discretion): $36,506 per violation category

Tier 2 — Reasonable cause The violation was due to reasonable cause — the organization knew or should have known of the potential for a violation.

  • Per violation: $1,463 to $73,011
  • Annual cap (OCR discretion): $146,053 per violation category

Tier 3 — Willful neglect, corrected The violation was due to willful neglect but was corrected within 30 days of discovery.

  • Per violation: $14,626 to $73,011
  • Annual cap (OCR discretion): $365,052 per violation category

Tier 4 — Willful neglect, not corrected The violation was due to willful neglect and was not corrected within 30 days.

  • Per violation: $73,011
  • Annual cap (statutory maximum): $2,190,294 per violation category

Note

The annual caps shown for Tiers 1–3 reflect OCR's 2019 enforcement discretion policy, which lowered these caps below the statutory maximum. OCR applies this discretion consistently but it is not legally binding and could change. The Tier 4 cap of $2,190,294 reflects the statutory maximum and is not subject to discretionary reduction.

How OCR actually calculates penalties

Understanding the penalty structure requires understanding how OCR applies it in practice. Several factors shape the final penalty amount:

Multiple violations stack. Annual caps apply per violation category — not per incident. A single ransomware attack that reveals failures in risk analysis (Tier 3), breach notification timing (Tier 2), and access controls (Tier 3) creates three separate penalty tracks with three separate annual caps running simultaneously.

OCR prefers settlements. The vast majority of OCR enforcement actions resolve through resolution agreements rather than civil money penalties. Settlements typically result in lower payments than the maximum penalty amount in exchange for the entity agreeing to a corrective action plan. OCR continues active enforcement through investigations and compliance reviews.

Financial condition is considered. OCR is required to consider the financial condition of the covered entity or business associate when determining penalty amounts. Smaller organizations and those with demonstrated financial hardship typically receive lower penalties — though this does not eliminate penalties entirely.

Prompt self-reporting helps. Organizations that promptly self-report violations, cooperate fully with OCR's investigation, and demonstrate good-faith remediation efforts consistently receive more favorable treatment than those that delay, resist, or conceal violations.

Recognized security practices reduce penalties. Under HITECH Act provisions, organizations that can demonstrate adoption of recognized security practices — including NIST Cybersecurity Framework and HHS 405(d) practices — are eligible for reduced penalties and shortened audit periods.

The enforcement discretion question

OCR continues to apply a 2019 enforcement discretion that lowers annual caps for Tiers 1–3, while Tier 4's cap remains at $2,190,294. OCR may revise this approach in future rulemaking.

This is an important caveat. The reduced annual caps for Tiers 1 through 3 are the result of an administrative enforcement discretion policy — not a statutory change. OCR could revise or withdraw this policy at any time, potentially restoring higher annual caps without Congressional action. The statutory maximum annual caps — which the discretion currently holds in check — are significantly higher than the figures OCR currently applies.

OCR has been pushing Congress to increase the maximum penalties for HIPAA violations, as the total funds from OCR's enforcement actions decreased significantly when the new penalty structure was introduced.

Organizations should plan compliance programs against the current enforced figures while being aware that penalty levels could increase through future policy or legislative action.

Criminal penalties — a separate track

Civil money penalties are not the only financial risk. HIPAA violations involving knowing or intentional conduct can result in criminal prosecution through the Department of Justice. Criminal penalties include:

  • Knowingly obtaining or disclosing PHI: up to 1 year imprisonment and $50,000 fine
  • PHI obtained under false pretenses: up to 5 years imprisonment and $100,000 fine
  • PHI obtained with intent to sell or use for personal gain: up to 10 years imprisonment and $250,000 fine

Criminal prosecutions are relatively rare but occur in cases involving employee theft of patient data, sale of PHI, and unauthorized access to celebrity or public figure records.

State enforcement — an additional layer

The HHS Office for Civil Rights is continuing with its HIPAA right of access and risk analysis enforcement initiatives. But OCR is not the only enforcement authority organizations face.

State attorneys general have independent authority to bring HIPAA enforcement actions on behalf of state residents. New Jersey, New York, California, and several other states have active enforcement programs that operate alongside OCR. State enforcement can result in additional penalties on top of any OCR action and may be triggered by the same incident.

Organizations operating in states with active AG enforcement programs face compounded exposure — two separate investigations, two separate penalty tracks, from two different agencies — for the same underlying incident.

What these numbers mean for compliance investment

The penalty figures make the economics of HIPAA compliance straightforward. A single Tier 3 violation — willful neglect that is corrected — carries a minimum per-violation penalty of $14,626. A comprehensive HIPAA compliance program costs far less than that annually, particularly when using tools like medcomply.ai's Risk Assessment, BAA Generator, and training modules.

The question is not whether compliance investment is worth it. The question is whether your organization will make that investment proactively — before an incident — or reactively, after OCR has already opened an investigation.

The 2026 penalty figures are in effect now for all OCR enforcement actions. The minimum per-violation penalty at the lowest tier is $145. The maximum at the highest tier is $2,190,294 per violation category per year. Every organization subject to HIPAA should be using these figures as inputs when evaluating the cost-benefit of compliance investment.

Sources & citations

  • Federal Register — 2026 HIPAA Civil Penalty Adjustments January 28 2026Open
  • HIPAA Journal — HIPAA Violation Fines Updated 2026Open
  • 45 CFR §160.404 — Amount of Civil Money PenaltyOpen

All content verified against official HHS guidance and the Code of Federal Regulations.

Frequently asked questions

Why do HIPAA penalty amounts change every year?
Under the Federal Civil Penalties Inflation Adjustment Act, federal agencies are required to adjust civil money penalty amounts annually to account for inflation. HHS publishes updated HIPAA penalty amounts in the Federal Register each January. The 2026 figures were published on January 28, 2026 using an inflation multiplier of 1.02598.
What is OCR's 2019 enforcement discretion policy and how does it affect penalties?
In 2019 OCR adopted an enforcement discretion policy that lowered the annual penalty caps for Tiers 1, 2, and 3 violations. Under this policy, the annual caps for these tiers are significantly lower than the statutory maximum. OCR applies this discretion in practice but it is not legally binding and could be changed at any time. Tier 4 (willful neglect, not corrected) is not affected by this discretion.
Can a single HIPAA incident result in multiple penalty categories?
Yes. A single incident can implicate multiple HIPAA provisions — each carrying its own penalty. For example, a ransomware attack that also involves a delayed breach notification and a missing risk analysis creates three separate potential penalty categories. Annual caps apply per violation category, meaning total exposure can stack significantly across categories.
What is the difference between a civil money penalty and a settlement?
A civil money penalty (CMP) is imposed by OCR unilaterally after a finding of non-compliance. A settlement (resolution agreement) is a negotiated agreement where the entity agrees to pay a reduced amount and implement corrective actions. Most OCR enforcement actions result in settlements rather than CMPs because settlements are faster and typically result in lower payments.
Do state attorneys general also enforce HIPAA?
Yes. State attorneys general have authority to bring civil actions for HIPAA violations on behalf of state residents. Several states — particularly New Jersey, New York, and California — have active HIPAA enforcement programs. State enforcement can occur alongside or independently of OCR enforcement.

Related intelligence

OCR Enforcement

OCR Fines Employer-Sponsored Health Plan $245,000 — A Warning Every HR Department Needs to Read

6 min read

OCR Enforcement

Assured Imaging Fined for Never Conducting a Risk Analysis — 244,813 Patients Affected

5 min read

OCR Enforcement

15 Million Records Exposed — MMG Fusion Settlement Shows Business Associates Are Squarely in OCR's Crosshairs

4 min read

Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.