HIPAA · Penalties & Enforcement
HIPAA Penalties
& OCR Enforcement
HHS Office for Civil Rights (OCR) enforces HIPAA with penalties ranging from $100 to $1.5 million per violation category per year. Learn the penalty tiers and how to stay compliant.
Four culpability tiers — from “did not know” to willful neglect, not corrected — with settlements that have exceeded $16 million.
45 CFR Part 160 · U.S. Dept. of Health & Human Services (OCR) · Last reviewed June 2026
Direct Answer
HIPAA civil penalties are tiered by culpability, ranging from roughly $100 per violation at the low end up to about $50,000 per violation, with an annual cap per type of violation — figures that the HHS Office for Civil Rights (hhs.gov/hipaa) adjusts for inflation each year, so any specific number is indicative. Because a single failure can be counted as many violations (per record or per day), settlements have reached from tens of thousands to over $16 million. Since the HITECH Act, business associates — including Indian vendors handling US PHI — are directly liable, not only through their contracts.
The Four Tiers
HIPAA Penalty Tiers
| Tier | Culpability | Per Violation | Annual Max |
|---|---|---|---|
| Tier 1 | Did not know and could not have known | $100 - $50,000 | $25,000 |
| Tier 2 | Reasonable cause, not willful neglect | $1,000 - $50,000 | $100,000 |
| Tier 3 | Willful neglect, corrected within 30 days | $10,000 - $50,000 | $250,000 |
| Tier 4 | Willful neglect, not corrected | $50,000 | $1.5M |
Indicative figures. HIPAA civil money penalty amounts are statutory and adjusted for inflation annually by HHS, so current values shift year to year — confirm the latest figures with HHS (hhs.gov/hipaa).
Enforcement Record
Recent Enforcement Cases
Anthem Inc.
2018Largest HIPAA settlement - 78.8M records breached
Premera Blue Cross
2020Breach affecting 10.4M individuals
Banner Health
2023Lack of risk analysis, 2.81M records
L.A. Care Health
2023Failure to implement technical safeguards
Staying Defensible
How to Avoid HIPAA Penalties
Frequently Asked Questions
Common questions on HIPAA penalty tiers, OCR enforcement, and business associate liability.
Who enforces HIPAA and issues penalties?
Civil HIPAA enforcement is handled by the HHS Office for Civil Rights (OCR), which investigates complaints and breaches and can impose civil money penalties or negotiate settlements (resolution agreements with corrective action plans). The US Department of Justice prosecutes criminal HIPAA violations. State Attorneys General may also bring HIPAA civil actions. See https://www.hhs.gov/hipaa.
What are the four HIPAA penalty tiers?
Civil penalties are tiered by culpability: Tier 1 (the entity did not know and could not reasonably have known), Tier 2 (reasonable cause, not willful neglect), Tier 3 (willful neglect, corrected within 30 days), and Tier 4 (willful neglect, not corrected). Minimum per-violation amounts rise with each tier, while the maximum per violation is in the tens of thousands of dollars; figures are inflation-adjusted annually by HHS, so treat any specific number as an indicative range.
How large can HIPAA fines get?
Per-violation civil penalties range from roughly $100 at the low end of Tier 1 up to around $50,000 per violation at the top, and because a single deficiency can count as many violations (for example, per record or per day), totals add up quickly. An annual cap applies per type of violation. These statutory amounts are adjusted for inflation each year, so published figures are indicative; OCR settlements have ranged from tens of thousands to well over $16 million.
Can Indian business associates be penalized under HIPAA?
Yes. Since the HITECH Act, business associates — including offshore vendors handling US PHI — are directly liable for HIPAA Security Rule and Breach Notification Rule violations, not only through their contracts. In practice, a US covered entity will also pass liability down via the Business Associate Agreement and indemnification terms, so an Indian business associate faces both contractual and direct regulatory exposure.
How do organizations avoid HIPAA penalties?
The most effective defense is a documented, current compliance program: an annual Security Risk Assessment, up-to-date policies and procedures, workforce training, signed BAAs with every vendor handling PHI, technical safeguards such as encryption and access controls, a tested incident-response plan, and evidence of all of it. OCR weighs willful neglect heavily, so demonstrating reasonable diligence and prompt correction materially reduces exposure.
Continue your HIPAA research
- HIPAA compliance hub — the Privacy Rule, Security Rule, breach notification, and BAAs in one place.
- HIPAA consulting for Indian companies — risk assessments and compliance programs that reduce penalty exposure (indicative ₹1.5–4L).
- HIPAA for Indian business associates — direct liability under HITECH for vendors handling US PHI.
- Tranquility Cybersecurity credentials & proof.
Written By Expert Auditors
Keep Exploring
Related Reading
HIPAA Knowledge Hub
Privacy Rule, Security Rule, BAAs, cloud guides and penalties.
Read moreHIPAA Breach Notification
Reporting timelines and obligations after a PHI breach.
Read moreHIPAA Privacy Rule
Use and disclosure standards for protected health information.
Read moreHIPAA Security Rule
Administrative, physical and technical safeguards for ePHI.
Read moreHIPAA Compliance
US health-data rules for healthtech and business associates.
Read moreDPDP Penalties & Enforcement
Penalty tiers up to ₹250 Cr and the Data Protection Board process.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours