What is the Civil Penalty for Knowingly Violating HIPAA?
The civil penalty for knowingly violating HIPAA falls within the range of $14,602 and $2,190,294 per violation, depending on whether or not the reason for the violation is corrected within 30 days (i.e., Tier 3 violation or Tier 4 violation). The civil penalty for knowingly violating HIPAA can also be influenced by an organization’s prior compliance history and its cooperation during a HIPAA compliance investigation.
If you search for the term “knowingly” in the text of HIPAA, you will find multiple references relating to defrauding health plans and embezzling money from healthcare benefit programs (i.e. Medicare), but only one relating to the wrongful disclosure of individually identifiable health information – and this section relates to criminal penalties for knowingly violating HIPAA rather than civil penalties.
However, just before this section, the Act gives the Secretary of Health & Human Services (HHS) the authority to impose financial penalties for the failure to comply with the requirements and standards of the Administrative Simplification provisions unless the person liable for the penalty “did not know and by exercising reasonable diligence would not have known” they had violated HIPAA.
This implies that any financial penalty imposed by HHS was in respect of a civil penalty for knowingly violating HIPAA; and, although it was not until 2015 that the first civil penalty for knowingly violating HIPAA was announced, once the first penalty was imposed, subsequent penalties followed quickly. To date (December 2025) HHS has settled more than 170 HIPAA violation cases by imposing HIPAA violation fines.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
A New Penalty Structure Introduced via the HITECH Act
Originally, HHS only had the authority to impose a civil penalty for knowingly violating HIPAA of up to $100 per violation, with an annual maximum penalty per year of $25,000 per violation type. The low penalty cap failed to act as a deterrent against HIPAA violations, and a new four-tier penalty structure with increased civil penalties was introduced via the HITECH Act in 2009.
Under the four-tier structure, civil penalties could now be imposed on covered entities that “did not know and by exercising reasonable diligence would not have known” they were violating HIPAA. Further tiers addressed HIPAA violations attributable to “reasonable cause” (where the covered entity should have known that the act or omission was a HIPAA violation) and “willful neglect”.
The “willful neglect” tier is effectively for covered entities imposed with a civil penalty for knowingly violating HIPAA, as it covers violations attributable to “intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” The amount of the penalty in this tier is dependent on whether the violation is corrected within thirty days.
Civil money penalties for violating HIPAA 2009
Since the publication of the Final Omnibus Rule in 2013, business associates have also been directly liable for their violations of HIPAA and subject to the same civil penalties as covered entities. It is important for both covered entities and business associates to be aware that HHS can impose a civil penalty for knowingly violating HIPAA even if no breach of unsecured PHI has occurred.
Factors Taken Into Account when Imposing a Civil Penalty for Knowingly Violating HIPAA
Also in the Final Omnibus Rule are the factors HHS should take into account when determining the amount of a civil penalty for violating HIPAA. These are codified under §160.408 of the Administrative Simplification provisions and include:
- The nature and extent of the violation, the number of individuals affected, and the length of time the violation was allowed to continue.
- The nature and extent of the harm resulting from the violation, and whether the violation resulted in physical and/or financial harm.
- Whether the violation affected an individual´s ability to obtain health care or caused harm to their reputation (i.e., financial reputation/credit score).
- The prior compliance history of the covered entity or business associate and how they have responded to previous technical assistance provided by HHS.
- The size and financial condition of the covered entity or business associate (as a substantial fine may hinder their ability to continue providing or paying for health care).
These factors – and whether the violation was corrected within 30 days – can either increase or decrease the amount of a civil penalty for knowingly violating HIPAA. Consequently, two covered entities could experience the same non-compliant event, but one might receive a lower civil penalty than the other due to their prior compliance history.
Civil Penalties Increase to Account for Inflation
In 2015, Congress passed the Federal Civil Monetary Penalties Inflation Adjustment Act Improvements Act, which required federal agencies such as HHS to increase civil money penalties in line with inflation on an annual basis. Consequently, since the passage of the Act, the civil penalties for violating HIPAA have increased each year. The penalties for 2026, as set by OCR on January 28, 2026, are detailed in the table below. The inflation multiplier for 2025 was 1.02598. OCR failed to apply the inflation adjustment in January 2025, waiting until January 2026 to apply the update.
| Penalty Tier | Level of Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit |
| Tier 1 | Lack of Knowledge | $145 | $73,011 | $2,190,294 |
| Tier 2 | Reasonable Cause | $1,461 | $73,011 | $2,190,294 |
| Tier 3 | Willful Neglect – Corrected | $14,602 | $73,011 | $2,190,294 |
| Tier 4 | Willful Neglect – Not Corrected within 30 days | $73,011 | $2,190,294 | $2,190,294 |
*Table last updated on January 28, 2026.
OCR Reinterprets HITECH Act Penalty Increases
While the above table shows the official maximum penalties for HIPAA violations, in 2019, the HHS examined the requirements of the HITECH Act with respect to the recommended financial penalties. After all, why should the maximum penalty for a HIPAA violation be the same in all four penalty tiers? The HHS determined that there had been a misinterpretation of the language of the HITECH Act and set new maximum penalties for three of the four penalty tiers, only keeping the old maximum amount for the most serious tier 4 violations. OCR has not changed the penalties in the Federal Register at this point in time, as that will be addressed through further rulemaking. OCR instead issued a notice of enforcement discretion on April 26, 2019, in which it said that it would be working with the new penalty structure with a maximum annual limit of $25,000 for tier 1, $100,000 for tier 2, $250,000 for tier 3, and $1.5 million for tier 4.
These figures are adjusted for inflation each year, and apply to “each February 18, 2009, or later violation of a HIPAA administrative simplification provision,” and are detailed in the table below; however, the HHS states that, “If the violation occurred before November 2, 2015, or a penalty was assessed before September 6, 2016, the pre-adjustment civil penalty amounts in effect before September 6, 2016, will apply.” The official maximum penalty for tier 1 is still $50,000 (adjusted for inflation = $73,011), which is double the annual cap. OCR may also address the discrepancy between the maximum penalty per violation and the maximum penalty per year in further rulemaking.
| Annual Penalty Limit | Annual Penalty Limit | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit |
| Tier 1 | Lack of Knowledge | $145 | $36,505.50 | $36,505.50 |
| Tier 2 | Reasonable Cause | $1,461 | $73,011 | $146,053 |
| Tier 3 | Willful Neglect | $14,602 | $73,011 | $365,052 |
| Tier 4 | Willful neglect (not corrected within 30 days | $73,011 | $2,190,294 | $2,190,294 |
*Table last updated on January 28, 2026
In 2019, Congress also passed an amendment to the HITECH Act (HR 7898), which gives HHS discretion in imposing civil penalties for violations of HIPAA if the covered entity or business associate has implemented recognized security practices developed under legislation such as the NIST Act or Cybersecurity Act. This “safe harbor” applies to all tiers of HIPAA violation penalties except for the civil penalty for knowingly violating HIPAA not corrected within 30 days.
What is the Civil Penalty for Knowingly Violating HIPAA? FAQs
Why did it take so long for HHS to issue the first civil penalty?
When the Privacy and Security Rules were published, many covered entities had to make significant changes to their operations to comply with the standards and implementation specifications. During this period, HHS pursued a policy of voluntary compliance during which it offered technical assistance for covered entities that were found to have violated HIPAA.
Why have there only been 170 HIPAA violation cases settled by imposing a fine?
Although there have been more than 350,000 complaints to HHS alleging HIPAA violations, HHS still prefers to resolve cases by offering technical assistance or requiring covered entities to follow a corrective action plan. While this means the covered entities do not have to pay money directly to HHS, there are still many indirect costs involved in complying with a corrective action plan.
What are the criminal penalties for knowingly violating HIPAA?
To date, the criminal penalties for knowingly violating HIPAA have been imposed on individuals who have obtained or disclosed PHI without authorization (usually) from their covered entity employer. There are three tiers of criminal penalties for knowingly violating HIPAA, depending on the means used to obtain or disclose PHI and the motive for the violation:
- Basic penalty – a fine of not more than $50,000, imprisonment for not more than 1 year, or both.
- False pretenses – if the offense is committed under false pretenses, a fine of not more than $100,000, imprisonment for not more than 5 years, or both.
- Personal gain – if the offense is committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000, imprisonment for not more than 10 years, or both.
Why do some sources show the maximum civil penalty for knowingly violating HIPAA as $1.5 million?
Although HIPAA Rules only change periodically, there is a lot to keep up to date with when publishing information about HIPAA. Consequently, some articles show the maximum civil penalty for knowingly violating HIPAA as the pre-2016 inflation-adjusted $1.5 million until such time as the article is updated to reflect the latest HIPAA update or guidance.
If a business associate is not aware that they have to comply with HIPAA, does this absolve them from civil penalties?
Ignorance of HIPAA is no defense against the imposition of a civil penalty or any other type of action by HHS. However, prior to disclosing PHI to a business associate, covered entities are required to conduct due diligence on the business associate to ensure the mechanisms exist for compliance with HIPAA. If a covered entity fails to conduct due diligence prior to disclosing PHI or fails to sign a Business Associate Agreement stating the permissible uses and disclosures of PHI, the covered entity may be jointly liable for any subsequent violation of HIPAA.
Covered entities can reduce their liabilities for violations of HIPAA by business associates by providing technical and administrative advice on how to safeguard PHI shared with the business associate. In some cases, this may involve providing guidance on how to configure software in order to ensure it is used in compliance with HIPAA. In other cases, it may involve providing HIPAA training to members of the business associate’s workforce to ensure they are familiar with concepts such as permissible disclosures and the minimum necessary standard.
