2025 HIPAA Penalties — $28.5M in Fines Analyzed

What are the 2026 HIPAA penalty tiers?

Four tiers per 45 CFR 102 (2026 inflation-adjusted): Tier 1 (did not know) $137-$68,928 per violation; Tier 2 (reasonable cause) $1,379-$68,928; Tier 3 (willful neglect, corrected) $13,785-$68,928; Tier 4 (willful neglect, uncorrected) $68,928-$2,067,813. Annual cap per category is $2,067,813.

What's the most common HIPAA violation?

Per OCR enforcement data: lack of risk analysis, missing or inadequate business associate agreements, impermissible disclosures (often via lost laptops or unencrypted email), and insufficient workforce training. Combined, these account for ~60% of resolved enforcement actions.

Can I face criminal HIPAA charges?

Yes — 42 USC 1320d-6 covers criminal HIPAA penalties for knowingly obtaining or disclosing PHI: up to $50,000 fine and 1 year imprisonment (basic), $100,000 and 5 years (under false pretenses), $250,000 and 10 years (intent to sell, transfer, or use for commercial advantage).

How does OCR decide between civil and criminal penalties?

OCR handles civil enforcement; criminal cases are referred to DOJ. Criminal referral typically requires evidence of knowing violation for personal gain. Most enforcement (~95%) is civil and resolved through corrective action plans rather than fines.

What's the corrective action plan (CAP) process?

After a finding, OCR negotiates a CAP (typically 1-3 years) requiring updated risk analysis, policy revisions, workforce retraining, and monitoring with periodic reports back to OCR. CAPs are public; published on the HHS Resolution Agreements page. Failure to comply triggers full civil penalties.