A single stolen laptop cost the University of Texas MD Anderson Cancer Center over $4.3 million in civil monetary penalties. Three unencrypted devices. No technical safeguards. The OCR didn't blink. If you've ever wondered what is the penalty for violating HIPAA, that number should wake you up — because it's far from the ceiling.

I've spent years helping covered entities and business associates navigate the aftermath of HIPAA violations. The penalties aren't theoretical. They're specific, tiered, and enforced with increasing aggressiveness by the Office for Civil Rights at HHS. Here's exactly what your organization faces.

The Four-Tier Civil Penalty Structure

HHS uses a tiered penalty system that adjusts based on the level of culpability. Congress established these tiers through the HITECH Act, and HHS adjusts the dollar amounts annually for inflation. Here are the current tiers:

  • Tier 1 — Did Not Know: The covered entity was unaware and couldn't have reasonably known about the violation. Minimum penalty: $137 per violation, up to roughly $68,928 per identical violation per year.
  • Tier 2 — Reasonable Cause: The entity should have known about the violation but didn't act with willful neglect. Minimum: $1,379 per violation, annual cap around $206,782.
  • Tier 3 — Willful Neglect, Corrected: The violation resulted from willful neglect, but the entity corrected it within 30 days. Minimum: $13,785 per violation, annual cap near $689,264.
  • Tier 4 — Willful Neglect, Not Corrected: Willful neglect with no timely correction. Minimum: $68,928 per violation, annual cap of approximately $2,067,813.

These numbers shift slightly each year due to inflation adjustments published in the Federal Register. You can review HHS's current penalty amounts on the HHS HIPAA Enforcement page.

Per Violation Means Per Record, Per Day

Here's where organizations get blindsided. "Per violation" doesn't mean per incident. If your breach exposed 5,000 patient records over 90 days, the OCR can calculate penalties per record, per day of non-compliance. The math gets devastating fast.

I've seen small practices assume they'd face a single fine. They didn't realize each missing risk assessment, each unencrypted email, each unsecured access point could be treated as a separate violation. That's how a seemingly minor lapse balloons into a seven-figure settlement.

Criminal Penalties: When DOJ Gets Involved

Civil penalties aren't the only consequence. The Department of Justice prosecutes criminal HIPAA violations under 42 U.S.C. § 1320d-6. Criminal penalties target individuals — not just organizations — and break down into three levels:

  • Knowingly obtaining or disclosing PHI: Up to $50,000 fine and 1 year in prison.
  • Obtaining PHI under false pretenses: Up to $100,000 fine and 5 years in prison.
  • Obtaining PHI for personal gain or malicious harm: Up to $250,000 fine and 10 years in prison.

These aren't hypothetical. In 2023, a former employee of a medical practice in New York pled guilty to criminal HIPAA violations after accessing patient records to commit identity theft. Federal prosecutors don't need a data breach to press charges — unauthorized access alone is enough.

What Is the Penalty for Violating HIPAA? A Quick-Reference Answer

HIPAA penalties fall into two categories. Civil penalties range from $137 to over $2 million per violation category per year, enforced by the OCR. Criminal penalties range from $50,000 and 1 year in prison to $250,000 and 10 years, enforced by the DOJ. The exact penalty depends on the violator's knowledge, intent, and whether they corrected the issue. Willful neglect with no correction triggers the highest fines.

Real Enforcement Actions That Show the OCR Means Business

Anthem Inc. — $16 Million (2018)

The largest HIPAA settlement in history. A cyberattack compromised the ePHI of nearly 79 million individuals. The OCR's investigation found Anthem failed to conduct an enterprise-wide risk analysis, failed to implement sufficient access controls, and lacked adequate monitoring. Sixteen million dollars gone — plus years of corrective action obligations.

Premera Blue Cross — $6.85 Million (2020)

Another massive breach, another missing risk analysis. Premera's breach affected over 10.4 million people. The OCR found systematic noncompliance with the HIPAA Security Rule, including inadequate hardware and software controls for systems containing ePHI.

Banner Health's 2016 breach affected 2.81 million individuals after hackers compromised food and beverage payment systems, then pivoted to health data. The OCR cited failures to conduct a compliant risk analysis and insufficient monitoring of health information systems.

You can search every resolution agreement and civil monetary penalty on the OCR Enforcement Actions portal.

Beyond Fines: The Penalties Nobody Budgets For

The financial penalty is just the opening act. Here's what I've watched organizations struggle with after a violation:

  • Corrective Action Plans (CAPs): HHS typically requires 2-3 years of monitored compliance. That means external audits, mandatory reporting, and zero room for error. CAPs consume staff time and budget far beyond the settlement amount.
  • Breach notification costs: Under the Breach Notification Rule, you must notify every affected individual, HHS, and sometimes the media. For breaches over 500 records, HHS posts your organization on its public breach portal — often called the "Wall of Shame."
  • Reputational damage: Patients leave. Referral partners pull back. Board members ask questions nobody prepared answers for.
  • Class action lawsuits: Anthem's $16 million OCR settlement was separate from its $115 million class action settlement with affected individuals.

The Violations That Trigger the Biggest Penalties

After reviewing hundreds of enforcement actions, I've identified the patterns that attract the OCR's harshest responses:

1. No Risk Analysis

This shows up in nearly every major settlement. If your organization hasn't conducted a thorough, documented risk analysis of all systems that create, store, or transmit ePHI, you're essentially inviting a Tier 3 or Tier 4 penalty.

2. No Workforce Training

The HIPAA Privacy and Security Rules require training for every workforce member. Not annual-optional-if-you-feel-like-it training. Documented, role-specific training. The OCR checks training records during every investigation. If those records don't exist, the penalty escalates. Our HIPAA training catalog covers exactly what your workforce needs, from privacy fundamentals to advanced security scenarios.

3. Delayed or Missing Breach Response

You have 60 days from discovery to notify affected individuals and HHS. Miss that window, and you've added a separate violation on top of the underlying breach. I've seen organizations freeze during a breach because nobody knew the protocol. That paralysis is expensive. Our First 60 Minutes: Incident Response course exists specifically to prevent that scenario.

4. Social Media PHI Disclosures

This is the violation I see accelerating fastest. A staff member posts a photo from work. A patient's chart is visible on a screen. A well-meaning employee shares a patient success story without authorization. Each instance is a potential violation. Your Social Media & PHI training should be mandatory, not optional.

How to Reduce Your Penalty Exposure Right Now

The OCR considers several mitigating factors when calculating penalties. Here's what actually moves the needle:

  • Demonstrate a compliance program: Document your policies, your risk analysis, your training records, and your incident response plan. If the OCR investigates, the first thing they request is documentation.
  • Cooperate fully and immediately: Organizations that stonewall or delay during investigations consistently receive higher penalties. Cooperation matters.
  • Correct quickly: The difference between Tier 3 and Tier 4 is whether you corrected the violation within 30 days. Speed saves millions.
  • Train continuously: Annual training is the minimum. Quarterly refreshers, role-specific modules, and documented attendance create a defensible compliance posture.

State Attorneys General Can Pile On

Here's something most compliance officers overlook: the HITECH Act gave state attorneys general independent authority to bring civil actions for HIPAA violations. The penalty is up to $25,000 per violation category per year, per state. If your breach crosses state lines — and most do — you could face enforcement actions from multiple states simultaneously, on top of the federal OCR action.

Indiana's Attorney General was the first to exercise this authority, filing suit against a medical records company in 2011. Since then, state-level HIPAA enforcement has grown steadily.

The Real Cost Is Always Larger Than the Fine

When someone asks me what is the penalty for violating HIPAA, I give them the tiered numbers. Then I tell them to multiply by five. The settlement is the visible part. The corrective action plan, the legal fees, the notification costs, the lost patients, the reputational recovery — that's where the real damage lives.

Your organization doesn't need a perfect compliance program. It needs a documented, active, improving one. Start with a current risk analysis. Train every workforce member. Build an incident response plan before you need it. The OCR penalizes neglect. It recognizes effort.

The difference between a $137 penalty and a $2 million one? It's almost always preparation.