In 2018, a small dermatology practice in Massachusetts called Adult & Pediatric Dermatology, P.C. paid $150,000 to settle a HIPAA case. The trigger? A stolen thumb drive containing unencrypted ePHI for roughly 2,200 patients. The practice had no risk analysis in place. No encryption. No policies to speak of. A six-figure lesson — and they were a small office.

If you've ever typed what are the penalties for HIPAA violations into a search bar, you're probably trying to figure out whether a mistake at your organization could cost you thousands, millions, or even your freedom. The short answer: it depends on what happened, whether you knew better, and what you did about it. The long answer is what this post is about.

The HIPAA Penalty Tiers: How HHS Calculates Fines

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) enforces HIPAA. They don't hand out fines at random. Congress created a tiered penalty structure, and OCR follows it closely. Here's how it breaks down:

Tier 1: Did Not Know (and Reasonably Wouldn't Have Known)

Penalty range: $137 to $68,928 per violation. Annual maximum: roughly $2 million. This tier covers situations where a covered entity or business associate didn't know and, by exercising reasonable diligence, wouldn't have known about the violation. These numbers adjust annually for inflation — the figures here reflect recent adjustments published by HHS.

Tier 2: Reasonable Cause (Not Willful Neglect)

Penalty range: $1,379 to $68,928 per violation. Same annual cap. This applies when the organization should have known about the problem but didn't act with willful neglect. Think of it as negligence without malicious intent.

Tier 3: Willful Neglect, Corrected Within 30 Days

Penalty range: $13,785 to $68,928 per violation. If your organization knew it was violating HIPAA and fixed it quickly, you're still facing significant penalties — but OCR gives some credit for the correction.

Tier 4: Willful Neglect, Not Corrected

Penalty range: $68,928 or more per violation. Annual maximum: over $2 million. This is where OCR brings the hammer. If you knew about a HIPAA violation, did nothing, and got caught — this tier is where your organization lands.

You can find the exact, current penalty amounts on the HHS enforcement page.

Real Settlements That Show What Penalties Look Like in Practice

Numbers on a chart are one thing. Real enforcement actions tell a much more vivid story. I've tracked OCR settlements for years, and certain cases stick with me because they illustrate exactly how organizations stumble into massive liability.

Anthem Inc. — $16 Million (2018)

The largest HIPAA settlement in history. Anthem suffered a breach affecting nearly 79 million people after hackers gained access through a phishing email. OCR's investigation found Anthem had failed to conduct an enterprise-wide risk analysis, failed to implement sufficient access controls, and failed to identify and respond to the breach in a timely way. Sixteen million dollars — plus the reputational fallout, plus class action lawsuits on top of that.

Premera Blue Cross — $6.85 Million (2020)

A cyberattack exposed the ePHI of 10.4 million individuals. OCR found that Premera failed to conduct a sufficient risk analysis and failed to implement adequate security measures. The investigation took years, and the penalty reflected the scale of the negligence.

This Arizona-based health system experienced a breach affecting nearly 2.81 million individuals. OCR found failures in risk analysis and monitoring, among other issues. The resolution agreement included a corrective action plan that dictated how Banner Health would operate for years to come.

Every one of these cases shares a common thread: incomplete risk analysis, insufficient workforce training, and slow or inadequate incident response. These aren't exotic problems. They're the basics.

Criminal Penalties: When HIPAA Becomes a Felony

Most people focus on the civil monetary penalties. But what are the penalties for HIPAA violations on the criminal side? They're real, and the Department of Justice prosecutes them.

  • Unknowing violations: Up to 1 year in prison and $50,000 in fines.
  • Obtaining PHI under false pretenses: Up to 5 years in prison and $100,000 in fines.
  • Obtaining PHI for personal gain or malicious purposes: Up to 10 years in prison and $250,000 in fines.

I've seen criminal cases where employees accessed medical records of celebrities, ex-partners, and family members out of sheer curiosity. In 2019, a former employee of a medical center in Tennessee pled guilty to wrongfully obtaining individually identifiable health information — a federal crime under 42 U.S.C. § 1320d-6. These aren't hypotheticals.

If your staff doesn't understand that snooping in medical records is a federal offense, your training has failed. Our course Accessing Records: If It's Not Your Job, It's a Breach was built specifically to address this exact problem.

State-Level Penalties Can Stack on Top

HIPAA sets the floor, not the ceiling. Many state attorneys general have the authority to bring their own enforcement actions under HIPAA, and several states have passed their own health privacy laws with separate penalties. California, Texas, New York, and Massachusetts have all been aggressive in this space.

In some cases, state fines and settlements have exceeded the federal penalties. Your organization can face both simultaneously. This is why treating HIPAA as your only compliance obligation is a strategic mistake.

What OCR Actually Looks at During an Investigation

After a breach report or complaint, OCR doesn't just ask "what happened?" They ask "what did you have in place to prevent it?" Here's what they examine:

  • Was there a current, documented risk analysis?
  • Did the organization have written policies and procedures?
  • Was the workforce trained, and can you prove it?
  • Were there access controls on ePHI?
  • Did the organization follow its own breach notification procedures?
  • How quickly did the organization respond?

The organizations that get hit with Tier 3 and Tier 4 penalties almost always fail on multiple fronts. It's never just one thing. OCR looks at the totality of your compliance posture.

If you want to see the full list of resolution agreements and civil money penalties, OCR publishes them on the HHS HIPAA Enforcement page.

The $1.5 Million Question: Can You Reduce Your Penalties?

Yes. OCR explicitly considers mitigating factors when determining penalty amounts. Here's what works in your favor:

  • A documented, current risk analysis. Not one from three years ago — one that reflects your current environment.
  • Regular workforce training with records. OCR wants to see dates, attendees, and content covered. Our full training catalog gives your organization documented, role-specific HIPAA education that holds up under scrutiny.
  • A tested incident response plan. When a breach happens, the first 60 minutes determine the trajectory. A disorganized response amplifies the damage — and the penalty. That's exactly why we built the First 60 Minutes: Incident Response course.
  • Prompt breach notification. HIPAA requires notification to affected individuals within 60 days. Missing that deadline creates a separate violation.
  • Cooperation with OCR. Organizations that stonewall or delay investigations face harsher outcomes. Every time.

The bottom line: OCR rewards organizations that took compliance seriously before something went wrong. They punish those that treated HIPAA as an afterthought.

Quick Reference: What Are the Penalties for HIPAA Violations?

For those looking for a fast answer — here's the summary. Civil penalties range from $137 per violation (for unknowing violations by a covered entity or business associate) up to $68,928+ per violation with annual caps exceeding $2 million (for willful neglect left uncorrected). Criminal penalties range from 1 year in prison for unknowing violations to 10 years in prison and $250,000 in fines for violations committed with intent to sell or profit from PHI. State penalties can add additional fines and enforcement actions on top of federal consequences.

The Penalty No One Talks About: Reputational Destruction

I've worked with organizations that survived the financial penalty only to lose patients, partners, and contracts in the aftermath. OCR publishes every resolution agreement publicly. Journalists cover them. Patients Google their providers.

The Anthem settlement cost $16 million in penalties. The brand damage? Incalculable. The same applies at a smaller scale. A two-physician practice that lands on the HHS "Wall of Shame" — the public Breach Portal — may never fully recover its patient trust.

What This Means for Your Organization Right Now

If you're reading this, you're already ahead of most covered entities who never think about penalties until they're staring at an OCR investigation letter. Here's what I'd do today if I were in your shoes:

  • Run an updated risk analysis. If your last one is older than 12 months, it's stale.
  • Audit your access logs. Find out who's looking at what — and whether they should be.
  • Train every member of your workforce. Not just clinicians. Front desk staff, IT, billing, volunteers. Everyone who touches PHI.
  • Document everything. If you can't prove it happened, OCR treats it as if it didn't.

The penalties for HIPAA violations are real, they're escalating, and OCR has made clear that enforcement is a priority through 2026 and beyond. The question isn't whether penalties exist. It's whether your organization is ready to avoid them.