In February 2023, Banner Health agreed to pay $1.25 million to the Office for Civil Rights after a breach exposed the electronic protected health information of nearly 3 million people. The fine wasn't random. It was the result of a precise, tiered penalty framework that OCR uses every single time it investigates a HIPAA violation. Understanding how civil and monetary penalties for violations are assessed isn't just academic — it's the difference between a corrective action plan and a seven-figure settlement.

I've walked organizations through OCR investigations. The penalty process surprises most of them. They assume the government picks a number. In reality, HHS follows a detailed statutory structure that weighs your knowledge, your negligence, and your willingness to fix the problem.

The Four-Tier Penalty Structure OCR Actually Uses

The HITECH Act established four tiers of civil monetary penalties for HIPAA violations. Each tier corresponds to a different level of culpability. OCR doesn't have unlimited discretion — these tiers define the floor and ceiling of every penalty.

Tier 1: Did Not Know

This applies when the covered entity or business associate didn't know about the violation and couldn't have reasonably known. Penalties range from $137 to $68,928 per violation. The annual cap for identical violations is $2,067,813. These numbers are adjusted for inflation each year by HHS.

Tier 2: Reasonable Cause

The violation was due to reasonable cause — not willful neglect. The organization should have known but didn't act with deliberate disregard. Penalties range from $1,379 to $68,928 per violation, with the same annual cap of $2,067,813.

Tier 3: Willful Neglect, Corrected

The organization acted with willful neglect but corrected the violation within 30 days of discovery. Penalties range from $13,785 to $68,928 per violation, with an annual cap of $2,067,813.

Tier 4: Willful Neglect, Not Corrected

This is the worst category. Willful neglect with no timely correction. The minimum penalty jumps to $68,928 per violation, and the annual maximum reaches $2,067,813. In my experience, this tier is where organizations face the most devastating financial consequences — and it's almost always preventable.

You can review the current penalty amounts directly on the HHS HIPAA Enforcement page.

How OCR Decides Where Your Penalty Lands

Knowing the tiers is only half the picture. OCR uses several aggravating and mitigating factors to determine the exact dollar amount within each tier. Here's what they look at.

The Nature and Extent of the Violation

OCR examines the type of PHI involved, how many individuals were affected, and what kind of harm resulted. A breach involving Social Security numbers and diagnoses for 500,000 people is treated very differently than one involving appointment dates for 200 patients.

The Organization's History

Prior compliance issues matter — a lot. If OCR has investigated your organization before, or if you've had previous complaints, expect that history to push your penalty higher. Clean records and demonstrated good faith efforts work in your favor.

Financial Condition of the Entity

OCR can consider whether a massive penalty would effectively destroy a small practice. This doesn't mean small organizations get a pass, but it can influence the final number. I've seen small clinics receive reduced penalties when they demonstrated genuine financial hardship alongside good-faith corrective efforts.

Cooperation and Corrective Action

This is the factor most within your control. Organizations that cooperate fully with OCR investigations, provide documentation quickly, and implement corrective actions before being told to do so consistently receive lower penalties. Stonewalling or slow-rolling document requests does the opposite.

How Are Civil and Monetary Penalties for Violations Assessed in Practice?

Here's the direct answer: OCR first determines which penalty tier applies based on the organization's level of knowledge and neglect. Then it calculates the number of individual violations — which can be counted per record, per day, or per occurrence depending on the facts. Finally, it applies aggravating and mitigating factors to set the amount within the tier's range. The result is either a voluntary resolution agreement (the most common outcome) or a civil monetary penalty imposed after a hearing.

Most enforcement actions end in resolution agreements. These combine a financial settlement with a corrective action plan that OCR monitors for one to three years. The corrective action plan often costs more to implement than the penalty itself — something most organizations don't anticipate.

Real Enforcement Actions That Show the Framework in Motion

Let me walk through a few real cases so you can see how OCR applies these principles.

Premera Blue Cross — $6.85 Million (2020)

A cyberattack exposed the ePHI of over 10.4 million individuals. OCR's investigation found systemic noncompliance with the HIPAA Security Rule, including insufficient risk analysis. The massive number of affected individuals and the breadth of the failures drove the penalty. Premera also agreed to a corrective action plan.

Children's Medical Center of Dallas — $3.2 Million (2017)

This case involved two separate breaches — an unencrypted BlackBerry in 2009 and an unencrypted laptop in 2013. OCR found that the organization had been warned about encryption risks as early as 2007 but failed to act. The repeated failure to address a known risk pushed this squarely into willful neglect territory.

UMMC (University of Mississippi Medical Center) — $2.75 Million (2016)

A stolen laptop exposed ePHI. The investigation revealed that UMMC's risk analysis was incomplete and that workforce members could access ePHI on a shared network drive without proper controls. OCR cited the lack of risk management as the core failure.

You can search the full list of resolution agreements on the OCR Resolution Agreements page.

State Attorneys General Can Pile On

Here's something that catches organizations off guard: the HITECH Act also empowers state attorneys general to bring civil actions for HIPAA violations on behalf of state residents. These actions are separate from OCR enforcement. You can face federal and state penalties for the same incident.

Several states have pursued their own enforcement actions, sometimes resulting in additional six-figure settlements. Your risk isn't limited to a single federal investigation — it can compound quickly.

Criminal Penalties Exist Too — But They're Different

Civil monetary penalties are assessed by OCR through administrative proceedings. Criminal penalties, on the other hand, are handled by the Department of Justice. Criminal violations require knowingly obtaining or disclosing PHI in violation of HIPAA. Penalties can reach $250,000 and up to 10 years in prison for violations involving intent to sell or use PHI for personal gain.

Criminal referrals are relatively rare, but they happen. The DOJ has prosecuted healthcare employees who accessed patient records out of curiosity, for personal grudges, or for identity theft. The statutory framework for criminal penalties is outlined in 42 U.S.C. § 1320d-6.

What Actually Protects You When OCR Comes Knocking

After watching organizations go through this process, I can tell you what consistently reduces penalties and what doesn't help at all.

What Helps

  • A current, thorough risk analysis. Not one from three years ago — one that reflects your environment today.
  • Documented workforce training. OCR asks for training records in virtually every investigation. If your staff hasn't completed HIPAA workforce training, that gap will cost you.
  • Written policies that people actually follow. Policies sitting in a binder don't count if your staff can't describe them.
  • Rapid breach notification. Meeting the 60-day notification requirement — or beating it — shows OCR you take the process seriously.
  • Immediate corrective action. Don't wait for OCR to tell you what to fix. Fix it and document everything.

What Doesn't Help

  • Claiming you didn't know HIPAA applied to your organization.
  • Saying your IT vendor handles everything.
  • Arguing that no one was actually harmed by the breach.

None of these arguments reduce your penalty tier. OCR has heard all of them.

The Penalty You Don't See: Corrective Action Plans

Resolution agreements almost always include a corrective action plan, or CAP. These plans require your organization to implement specific security measures, revise policies, retrain your entire workforce, and submit to OCR monitoring for one to three years.

The cost of executing a CAP — hiring consultants, upgrading systems, conducting new risk analyses, and completing organization-wide training through a program like the HIPAA training catalog — frequently exceeds the dollar amount of the settlement itself. I've seen organizations spend twice the penalty amount on compliance remediation.

Your Penalty Is Determined Long Before the Investigation

Here's what I tell every client: the penalty OCR assesses is largely determined by the decisions you made months or years before the breach. Your risk analysis, your training records, your encryption practices, your incident response plan — all of these either lower your penalty tier or push you into willful neglect territory.

You don't control whether a breach happens. You control how prepared you are when it does. And that preparation is exactly what OCR measures when it decides how much your organization will pay.

Start with the fundamentals. Conduct your risk analysis. Train your workforce. Document everything. The organizations that do this consistently aren't the ones making headlines for seven-figure penalties.