HIPAA violation fines in 2026: penalty tiers and what reduces them

The 2026 HIPAA penalty tiers from the Federal Register, plus the documented evidence that security practices can mitigate what OCR imposes.

By CoreFolio

Published June 6, 2026Verified June 6, 20268-minute read

A HIPAA violation fine is not a single number. It is a structured calculation the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) runs against a four-tier framework, where the tier reflects how culpable the organization was. The amounts are reset for inflation every year and published in the Federal Register.

This article lays out the 2026 penalty tiers as they appear in the rule, then turns to a question practices ask far more often: does doing the compliance work actually reduce what OCR imposes? The record answers that — with a specific, documented dollar figure — but the answer is narrower than the marketing around it usually suggests.

Where the numbers come from

HIPAA's civil monetary penalties are set by statute (section 1176 of the Social Security Act, as amended by the HITECH Act) and codified at 45 CFR § 160.404. Under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, HHS must adjust those amounts for inflation each year by an Office of Management and Budget (OMB) cost-of-living multiplier.

The most recent adjustment was published in the Federal Register on January 28, 2026, applying a multiplier of 1.02598. The adjusted amounts apply to penalties assessed on or after that date, for violations occurring on or after November 2, 2015.

The 2026 HIPAA penalty tiers

The tier is set by the organization's level of culpability — what it knew, and whether it acted on what it knew. The tier sets a minimum per violation; the maximum is the same ceiling across the first three tiers.

Tier	Level of culpability	Minimum per violation	Maximum per violation	Annual cap per provision
1	Did not know, and would not have known with reasonable diligence	$145	$73,011	$2,190,294
2	Reasonable cause, not willful neglect	$1,461	$73,011	$2,190,294
3	Willful neglect, corrected within 30 days	$14,602	$73,011	$2,190,294
4	Willful neglect, not corrected within 30 days	$73,011	$2,190,294	$2,190,294

A few points the table does not make obvious:

"Per violation" can compound. A single failure — say, an unencrypted system — can be counted across every affected record and every day the failure persisted. This is how a small practice reaches a six-figure total from one finding.
The annual cap is per identical provision. A practice with failures spanning several different requirements can face that cap on each one.
The tier drives the floor, not the ceiling. Tiers 1 through 3 share the same $73,011 maximum. What moves with culpability is the minimum — which is why willful neglect is so much more expensive even before the Tier 4 ceiling applies.

A caveat on the annual caps

In April 2019, OCR issued a Notification of Enforcement Discretion (84 Fed. Reg. 18151) stating it would apply lower annual caps for the first three tiers — originally $25,000 (Tier 1), $100,000 (Tier 2), and $250,000 (Tier 3) — leaving Tier 4 at the full statutory cap. The Federal Register inflation table does not incorporate that discretion, so the codified caps remain $2,190,294 across all tiers. The lower caps are a matter of OCR's stated enforcement practice, not the regulation text, and the discretion can be withdrawn through rulemaking. Treat the codified figures as the regulatory ceiling and the discretion caps as OCR's current practice.

Does compliance reduce the fine? What the record shows

Here the evidence is specific, and it points in one direction: documented security work is treated as a mitigating factor, and its absence is the single most common reason penalties get assessed at all.

1. The statute requires OCR to consider security practices

A 2021 amendment to the HITECH Act — Public Law 116-321, enacted January 5, 2021 — requires OCR to take into account "recognized security practices" that a regulated entity had in place for the 12 months prior to an incident when it determines fines, audit scope, and the remedies in a settlement.

Two limits are written into the statute itself, and they matter for accurate framing:

It is not a safe harbor. Implementing recognized security practices does not provide immunity from liability for a Security Rule violation.
Not adopting them cannot increase a penalty, and creates no liability on its own.

So the protection the law offers is mitigation at the determination stage, not a shield against being investigated or found in violation.

2. OCR has applied that mitigation — and shown the math

In October 2024, OCR issued a Notice of Final Determination against Providence Medical Institute (PMI), a Southern California provider, over Security Rule failures connected to three ransomware attacks. OCR calculated a civil monetary penalty of $300,000, then reduced it by 20 percent to $240,000 because PMI demonstrated it had recognized security practices in place for the required 12-month period.

This was the first time OCR documented a recognized-security-practices reduction with a specific figure. It is the clearest single piece of evidence that the documentation changes the number — by $60,000, in a documented case.

3. The inverse: the missing artifact is the common thread

The strongest evidence that compliance work is protective is what OCR cites when it imposes penalties. In its Risk Analysis Initiative, launched in late 2024, every settlement through mid-2025 cited the same failure: the entity did not conduct "an accurate and thorough assessment of the potential risks and vulnerabilities" to electronic protected health information (ePHI) under 45 CFR § 164.308(a)(1)(ii)(A).

By August 2025 that initiative had produced at least ten settlements, including Northeast Radiology ($350,000) and BST & Co. CPAs ($175,000). OCR has stated that an earlier compliance audit found only about 14 percent of covered entities were substantially fulfilling their risk analysis responsibilities. The artifact that was missing in nearly every penalty is the same artifact the HITECH amendment rewards having.

The defensible reading of the record: a current risk analysis and documented security practices reduce exposure in two measurable ways — they are a statutory mitigating factor OCR has applied, and they address the failure OCR cites most. They do not guarantee that no penalty will be imposed.

What "recognized security practices" actually means

The HITECH amendment ties the term to established frameworks — the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the approaches developed under Section 405(d) of the Cybersecurity Act of 2015 (the Health Industry Cybersecurity Practices), and comparable standards. To claim the mitigation, an entity has to demonstrate the practices were in place and in consistent use for the full 12 months before the incident.

That demonstration is itself a documentation problem. Saying "we use NIST" is not evidence. OCR is looking for the dated, written record — the risk analysis, the risk management plan, the policies, the training logs — that shows the practices existed and were followed over time. The same record that supports the Security Rule is the record that supports the mitigation claim.

Building that record is clear work, but it is not quick work. It requires identifying every system that touches ePHI, rating the risks to each with a defensible methodology, writing a management plan that addresses them, and keeping all of it current. OCR routinely asks "how did you arrive at this rating?" — and an answer it accepts has to show the method, not just the conclusion.

What to do next

If your goal is to be in the mitigating-factor position rather than the most-cited-failure position, the first steps are concrete:

Locate or date your risk analysis. If you cannot point to one completed in the last 12 months, that is the gap OCR cites most. Start there.
Pair it with a risk management plan. A risk analysis with no documented plan to address what it found is a separate, repeatedly cited failure under 45 CFR § 164.308(a)(1)(ii)(B).
Keep the dated trail. The mitigation depends on showing 12 months of consistent practice — so the value is in the documentation existing over time, not in a one-time scramble.

None of this is a guarantee against a penalty, and no article or tool can make that claim. This article is educational and is not legal advice; for your specific situation, review your documentation with your privacy officer or counsel. What the record shows is narrower and more useful: the practices the Security Rule already requires are the same ones OCR has rewarded with a documented reduction and penalized the absence of. That is a reason to produce the documentation properly, and to keep it current.

Sources: HHS, Annual Civil Monetary Penalties Inflation Adjustment, 91 Fed. Reg. (Jan. 28, 2026), amending 45 CFR § 160.404. 45 CFR § 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR § 164.308(a)(1)(ii)(B) (risk management plan). HHS Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties, 84 Fed. Reg. 18151 (Apr. 30, 2019). Public Law 116-321 (H.R. 7898), enacted Jan. 5, 2021 (HITECH amendment, recognized security practices). HHS OCR Notice of Final Determination, Providence Medical Institute (Oct. 2024), available at hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements. HHS OCR Risk Analysis Initiative settlements, 2024–2025 (Northeast Radiology, BST & Co. CPAs, and others). Last verified June 6, 2026.

FAQ

Common questions

How much is a HIPAA violation fine in 2026?

Per-violation penalties run from $145 (no knowledge) to $2,190,294 (willful neglect, not corrected), with an annual cap per violation category of $2,190,294. These amounts were set in the Federal Register on January 28, 2026, under 45 CFR § 160.404.

What are the four HIPAA penalty tiers?

Tier 1 (lack of knowledge), Tier 2 (reasonable cause), Tier 3 (willful neglect corrected within 30 days), and Tier 4 (willful neglect not corrected). The tier reflects the entity's level of culpability, and it drives the minimum penalty far more than the maximum.

Can HIPAA compliance reduce a fine?

Yes, as a mitigating factor — not as immunity. A 2021 amendment to the HITECH Act (Public Law 116-321) requires OCR to consider recognized security practices an entity had in place for the prior 12 months. In the October 2024 Providence Medical Institute case, OCR reduced a $300,000 penalty by 20 percent on that basis.

Does a risk analysis protect against HIPAA fines?

A current, accurate risk analysis does not guarantee that no penalty will be imposed, but its absence is the most-cited failure in OCR's recent enforcement actions. Every settlement in OCR's Risk Analysis Initiative cited a missing or inadequate risk analysis under 45 CFR § 164.308(a)(1)(ii)(A).

Keep learning

Enforcement
HIPAA settlement patterns: what OCR finds when it investigates small practices
OCR has published more than 100 resolution agreements over the past decade. The findings in those agreements follow a consistent pattern. Here is what investigators actually find — and what it means for your practice.
May 7, 20265-minute read
Enforcement
The OCR Risk Analysis Initiative, explained
When OCR investigates a small practice — after a breach report, a ransomware attack, a vendor incident, or a patient complaint — the first thing they ask for is the risk analysis. Here is what changed in late 2024, what the rule actually requires, and what a defensible answer looks like.
May 14, 202615-minute read
Enforcement
What triggers an OCR HIPAA audit or investigation
OCR investigates covered entities through three channels: patient complaints, breach reports, and proactive enforcement initiatives. Here is how each channel works, what OCR does next, and how to reduce your practice's risk profile.
May 20, 20267-minute read