HIPAA: Civil and Criminal Penalties
Civil and Criminal Penalties [42 USC §§ 1320d-5, 1320d-6]
Rule: HIPAA violations carry civil monetary penalties up to $2.19 million annually per violation category, and criminal penalties up to 10 years imprisonment and $250,000 fines for wrongful disclosure.
Two Enforcement Tracks
HIPAA provides both civil and criminal enforcement mechanisms:
| Track | Authority | Penalties | Who Can Be Charged |
|---|---|---|---|
| Civil | HHS Office for Civil Rights (OCR) | Monetary penalties (4 tiers) | Covered entities, business associates |
| Criminal | Department of Justice | Fines and imprisonment (3 tiers) | Individuals (employees, anyone) |
Civil Penalties [42 USC § 1320d-5]
Statutory Authority
Section 1320d-5 authorizes the Secretary of HHS to impose civil monetary penalties for violations of HIPAA rules.
Penalty determination based on:
- Nature and extent of the violation
- Nature and extent of harm resulting from the violation
- Violator’s culpability level
- Violator’s compliance history
- Violator’s financial condition
Four-Tier Penalty Structure (HITECH Act)
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 established a four-tier penalty structure based on culpability.
2026 Penalty Amounts (effective January 28, 2026):
| Tier | Culpability | Minimum per Violation | Maximum per Violation | Annual Cap |
|---|---|---|---|---|
| Tier 1 | Did not know (and could not have known with reasonable diligence) | $145 | $73,011 | $2,190,294 |
| Tier 2 | Reasonable cause (not willful neglect) | $1,461 | $73,011 | $2,190,294 |
| Tier 3 | Willful neglect - corrected within 30 days | $14,602 | $73,011 | $2,190,294 |
| Tier 4 | Willful neglect - not corrected | $73,011 | $73,011 | $2,190,294 |
Annual cap applies: Per “identical provision” violated in calendar year
Tier 1: Did Not Know
Standard: Entity/individual did not know and, by exercising reasonable diligence, could not have known of the violation.
Examples:
- Breach occurred despite comprehensive security program
- Vendor vulnerability outside entity’s control
- Sophisticated attack defeating reasonable safeguards
- Compliance gaps not reasonably detectable
Defense requirements:
- Documented compliance program
- Regular risk assessments
- Employee training
- Policies and procedures implemented
- Monitoring and auditing in place
2026 Penalties: $145 - $73,011 per violation, up to $2,190,294 annual cap
Tier 2: Reasonable Cause
Standard: Violation due to reasonable cause (not willful neglect), where entity knew or should have known but could not avoid violation despite exercising ordinary care.
Examples:
- Technical malfunction despite maintenance
- Employee error despite training
- Compliance gap identified but correction underway
- Resource constraints preventing immediate remediation
Not excuses:
- Lack of funds alone
- Lack of staff alone
- Waiting for “perfect” solution
- Deprioritizing compliance
2026 Penalties: $1,461 - $73,011 per violation, up to $2,190,294 annual cap
Tier 3: Willful Neglect - Corrected
Standard: Violation due to willful neglect (conscious, intentional failure or reckless indifference), but corrected within 30 days of when entity knew or should have known.
“Willful neglect” means:
- Conscious, intentional failure to comply
- Reckless indifference to legal obligation
- Deliberate decision not to comply
- Awareness of requirement but deliberate inaction
Examples:
- Risk assessment identifies vulnerability, no action taken
- Training budget eliminated despite known need
- Required policies not developed/implemented
- Business associate agreements not executed
- But: Issue corrected within 30 days of discovery
Correction must be complete:
- Root cause addressed
- Systemic issues remediated
- Not just isolated incident fixed
2026 Penalties: $14,602 - $73,011 per violation, up to $2,190,294 annual cap
Tier 4: Willful Neglect - Not Corrected
Standard: Violation due to willful neglect, not corrected within 30 days of when entity knew or should have known.
No OCR discretion: Mandatory penalty for this tier
Examples:
- Repeated violations despite OCR warnings
- Refusal to implement required safeguards
- Ongoing non-compliance after breach
- Systemic failures not addressed
- Lack of remediation efforts
Most serious tier:
- Minimum penalty = maximum penalty = $73,011
- No ability to negotiate lower amount
- Annual cap = $2,190,294
2026 Penalties: $73,011 per violation (mandatory), up to $2,190,294 annual cap
Enforcement Discretion (2019 Notice)
OCR announced in April 2019 that it would exercise enforcement discretion to apply lower calendar-year penalty caps for Tiers 1-3:
| Tier | Enforcement Discretion Annual Cap (2026) |
|---|---|
| Tier 1 | $36,505 (instead of $2,190,294) |
| Tier 2 | $146,053 (instead of $2,190,294) |
| Tier 3 | $365,052 (instead of $2,190,294) |
| Tier 4 | $2,190,294 (no discretion - statutory) |
Rationale: Congressional intent (based on HITECH Act language) was tiered annual caps, not uniform cap.
Effect: Most HIPAA penalties significantly lower than statutory maximum
Exception: Tier 4 willful neglect - no enforcement discretion
Annual Inflation Adjustments
Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 requires annual penalty adjustments for inflation.
Adjustment methodology:
- Multiply previous year’s amount by cost-of-living multiplier
- Effective each January for penalties assessed that year
- Applies to violations occurring after November 2, 2015
Recent adjustments:
- 2024: Multiplier 1.03241
- 2026: Multiplier 1.02598
Always check current year amounts - HHS publishes updates annually
Penalty Calculation Factors
OCR considers multiple factors when determining penalty amounts:
Violation factors:
- Number of individuals affected
- Duration of violation
- Type of PHI involved (sensitivity)
- Whether violation caused harm
- Whether violation was repeated
- Violator’s compliance history
Mitigating factors:
- Self-reporting of violation
- Cooperation with investigation
- Prompt corrective action
- Strong compliance program
- Waiver of recoupment rights
- Financial hardship (limited consideration)
Aggravating factors:
- Previous violations
- Lack of cooperation
- Obstruction of investigation
- Retaliation against complainants
- Repeated similar violations
”Identical Provision” Rule
Annual caps apply per identical provision violated in calendar year.
Example:
- Failure to conduct risk assessment = 1 provision
- Failure to train employees = different provision
- Each provision has its own $2.19 million annual cap
Not identical:
- Different Security Rule requirements
- Different Privacy Rule requirements
- Different Breach Notification requirements
Result: Potential total penalties exceed single cap if multiple provisions violated
Resolution Agreements
Most OCR investigations result in resolution agreements rather than civil monetary penalties:
Resolution agreement includes:
- Monetary settlement (typically lower than penalty)
- Corrective action plan
- Monitoring period (usually 2-3 years)
- Compliance reporting requirements
- Training requirements
- No admission of liability
Advantages over CMPs:
- Negotiated amount
- Cooperation credit
- Compliance assistance
- Avoided litigation
OCR enforcement priorities:
- Large breaches affecting 500+ individuals
- Repeat violators
- Willful neglect cases
- Complaints alleging serious violations
- Systemic non-compliance
Criminal Penalties [42 USC § 1320d-6]
Statutory Authority
Section 1320d-6 establishes criminal penalties for wrongful disclosure of individually identifiable health information.
Who can be prosecuted: Any person (including employees, contractors, or anyone else) - not limited to covered entities/business associates
Prosecuted by: U.S. Department of Justice
Three-Tier Criminal Penalty Structure
Criminal violations require:
- Knowing conduct
- Violation of HIPAA rules
- One of three prohibited acts:
- Using/causing use of unique health identifier
- Obtaining individually identifiable health information
- Disclosing individually identifiable health information
Tier 1: Basic Offense
Standard: Knowingly obtains or discloses individually identifiable health information in violation of HIPAA.
Elements:
- Knowingly (not accidental)
- Obtains/discloses PHI
- Without authorization
- In violation of HIPAA rules
Examples:
- Employee accessing patient records without legitimate reason
- Disclosing PHI to unauthorized person
- Snooping in medical records of family/friends/celebrities
- Taking PHI when leaving employment
Penalties:
- Fine: Up to $50,000
- Imprisonment: Up to 1 year
- Or both
Tier 2: False Pretenses
Standard: Offense committed under false pretenses.
“False pretenses” means:
- Misrepresentation of identity
- Misrepresentation of authority
- Misrepresentation of purpose
- Fraudulent justification for access
Examples:
- Pretending to be someone else to obtain records
- Falsely claiming authority to access PHI
- Lying about reason for accessing records
- Creating fake authorization documents
- Impersonating physician or staff member
Penalties:
- Fine: Up to $100,000
- Imprisonment: Up to 5 years
- Or both
Tier 3: Commercial/Personal Gain/Malicious Harm
Standard: Offense committed with intent to:
- Sell PHI
- Transfer PHI for value
- Use PHI for commercial advantage
- Use PHI for personal gain
- Use PHI for malicious harm
Examples:
- Selling patient lists to marketers
- Using PHI for identity theft
- Obtaining PHI to blackmail patients
- Selling celebrity medical records to media
- Accessing records to harm ex-spouse
- Medical identity theft schemes
- Ransomware attacks demanding payment
Penalties:
- Fine: Up to $250,000
- Imprisonment: Up to 10 years
- Or both
Criminal Prosecution Standards
Department of Justice considerations:
- Egregiousness of conduct
- Extent of harm to individuals
- Number of victims
- Financial gain to perpetrator
- Deterrent value of prosecution
- Criminal intent and mens rea
- Available evidence
Burden of proof: Beyond reasonable doubt (higher than civil standard)
Procedure:
- Investigation by HHS OIG or FBI
- Referral to DOJ
- Grand jury indictment
- Criminal trial
- Sentencing if convicted
Who Can Be Prosecuted?
Any person, including:
- Covered entity employees
- Business associate employees
- Independent contractors
- Volunteers
- Unauthorized third parties
- Anyone who obtains/discloses PHI
Not limited to HIPAA-covered entities - individual liability
”Obtains Individually Identifiable Health Information”
Defined: Person is considered to have obtained information in violation if:
- Information is maintained by covered entity
- Individual obtained information without authorization
Covers:
- Accessing electronic health records
- Viewing paper records
- Downloading patient data
- Taking photographs of records
- Memorizing information
- Any other means of acquisition
Relationship to Civil Penalties
Civil and criminal enforcement are independent:
| Aspect | Civil | Criminal |
|---|---|---|
| Can both apply | Yes | Yes |
| Different authorities | HHS OCR | DOJ |
| Different standards | Preponderance of evidence | Beyond reasonable doubt |
| Different penalties | Monetary | Fines and imprisonment |
| Target | Organizations | Individuals |
Example: Hospital employee snoops in records:
- Hospital faces civil penalty from OCR
- Employee faces criminal prosecution from DOJ
- Both penalties can apply
Affirmative Defenses and Exceptions
Civil Penalty Defenses
Not liable if:
- Violation not due to willful neglect
- Corrected within 30 days of discovery (for non-willful neglect only)
- Violation due to reasonable cause despite ordinary care
Limitations on defenses:
- Financial hardship - not usually accepted
- Lack of resources - not usually accepted
- “Didn’t know about HIPAA” - not a defense
- Other priorities - not a defense
Criminal Defenses
Lack of knowledge:
- Accidental disclosure (no “knowingly”)
- Reasonable belief in authorization
- Emergency circumstances
No violation of HIPAA rules:
- Disclosure permitted under Privacy Rule
- Treatment, payment, operations
- Required by law
Mistaken belief:
- Believed had authorization (must be reasonable)
- Believed disclosure was permitted
Enforcement Statistics
Recent OCR enforcement (2024):
- 22 civil monetary penalties or settlements
- Total settlements exceeding $25 million
- Average resolution agreement: $1.2 million
- Largest single penalty: $4.75 million
Common violations resulting in penalties:
- Failure to conduct risk analysis
- Lack of business associate agreements
- Insufficient access controls
- Inadequate encryption
- Failure to provide breach notification
- Lack of employee training
Criminal prosecutions (rare but severe):
- Typically involve insider threats
- Employee snooping cases
- Identity theft schemes
- Sale of PHI to third parties
Practical Compliance
Avoiding Civil Penalties
Risk assessment:
- Conduct comprehensive risk analysis
- Document assessment process
- Identify and mitigate vulnerabilities
- Update regularly (at least annually)
Policies and procedures:
- Develop complete HIPAA policies
- Implement across organization
- Train employees
- Enforce consistently
Business associate management:
- Execute BAAs with all business associates
- Monitor BA compliance
- Include termination provisions
- Review contracts regularly
Breach response:
- Detect breaches promptly
- Investigate thoroughly
- Notify as required
- Mitigate harm
- Prevent recurrence
Cooperation with OCR:
- Respond promptly to investigations
- Provide requested documentation
- Implement recommended corrective actions
- Maintain open communication
Avoiding Criminal Liability
Employee education:
- Train on authorized access only
- Explain criminal penalties
- Provide clear authorization policies
- Establish consequences for violations
Access controls:
- Limit access to minimum necessary
- Audit access logs
- Investigate suspicious access
- Disable accounts promptly
Monitoring:
- Regular access audits
- Detection of inappropriate access
- Investigation of anomalies
- Disciplinary action for violations
Incident response:
- Report criminal conduct to authorities
- Cooperate with investigations
- Preserve evidence
- Implement corrective measures
State Law Penalties
Many states have additional penalties for health information violations:
State laws may provide:
- Civil penalties (separate from HIPAA)
- Criminal penalties (separate from federal)
- Private rights of action (individuals can sue)
- Regulatory sanctions (license revocation)
HIPAA provides floor, not ceiling - state laws can be more stringent
Citation
Sources
- HHS HIPAA Civil Monetary Penalty Updates
- DOJ Scope of Criminal Enforcement
- OCR Enforcement Highlights
- 2026 Penalty Amount Adjustments