How many tiers of HIPAA civil monetary penalties exist?

There are four HIPAA civil monetary penalty tiers established by HITECH and codified at 42 USC §1320d-5. Tier 1 applies when the covered entity did not know and could not reasonably have known of the violation. Tier 2 applies when there was reasonable cause but no willful neglect. Tier 3 applies when the violation was due to willful neglect and was corrected within 30 days. Tier 4 — the highest — applies when the violation was due to willful neglect and was not corrected within 30 days. Each tier carries distinct minimum and maximum per-violation penalties and annual caps, adjusted annually by HHS for inflation.

Can a single HIPAA breach result in penalties at multiple tiers?

Yes. A single investigation can result in findings of violations at multiple tiers if the facts support different culpability levels for different violated provisions. For example, a covered entity might receive a Tier 1 finding for an encryption gap it was unaware of and a Tier 3 finding for a risk assessment failure that persisted despite prior awareness. Each provision and each tier is assessed separately.

Does correcting a HIPAA violation within 30 days eliminate the penalty?

For Tier 1 violations, HHS has discretion to not impose a penalty if the covered entity corrects the violation within 30 days of discovery. For Tier 2, correction may reduce but not eliminate exposure. For Tier 3 and Tier 4, the distinction between the tiers is whether correction occurred within 30 days — but penalties are mandatory in both cases. Correction does not eliminate Tier 3 or Tier 4 penalties; it only determines which of the two highest tiers applies.

Can state attorneys general enforce HIPAA?

Yes. Since the HITECH Act, state attorneys general have independent authority to bring HIPAA civil enforcement actions on behalf of state residents. State enforcement operates in parallel with HHS OCR enforcement and is not subject to the same annual penalty caps. Organizations that experience breaches affecting residents of multiple states may face parallel enforcement actions from multiple state attorneys general in addition to OCR investigation.

HIPAA Compliance

HIPAA Penalties and Fines: The Four Civil Penalty Tiers Explained

HIPAA civil monetary penalties are tiered by culpability — not by the size of the breach or the number of records exposed. Understanding how HHS determines which tier applies, what the per-violation and annual cap ranges are, and what factors drive penalty escalation is essential for any compliance program leader managing organizational risk.

Start the 90-Day Proof
Talk to an Expert

Statutory Authority and the Role of HITECH

Civil monetary penalties for HIPAA violations derive from the Health Insurance Portability and Accountability Act of 1996 as significantly strengthened by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. HITECH created the four-tier culpability structure that governs all current enforcement actions, established that business associates can be directly liable for violations — not merely covered entities — and required HHS to increase penalty amounts through periodic inflation adjustments. HHS adjusts the per-violation penalty amounts annually in accordance with the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The figures below reflect the framework structure; current penalty amounts adjusted for annual inflation are published by HHS OCR and should be confirmed against the most recent HHS notice.

The Four Civil Penalty Tiers

All HIPAA civil monetary penalties are organized into four tiers defined by the nature of the covered entity’s or business associate’s culpability at the time of the violation. Each tier carries a distinct minimum and maximum per-violation penalty and a distinct annual cap for violations of identical provisions. OCR determines the applicable tier through its investigation of the facts and circumstances surrounding the violation — a finding that the organization had actual knowledge of a violation and failed to act is treated categorically differently than a finding that the organization was unaware and could not have reasonably discovered the violation through due diligence.

Tier	Culpability Finding	Per-Violation Range	Annual Cap (Same Provision)	Corrective Action Available?
Tier 1	Did not know and, with reasonable diligence, could not have known of the violation	Minimum and maximum set by HHS at the lowest range, adjusted annually	Annual cap at the lowest threshold, adjusted annually	Yes — if corrected within 30 days of discovery, HHS may not impose a penalty
Tier 2	Reasonable cause — knew or should have known, but did not engage in willful neglect	Mid-range minimum and maximum, substantially higher than Tier 1, adjusted annually	Annual cap higher than Tier 1, adjusted annually	Yes — correction within 30 days may reduce but not eliminate penalty exposure
Tier 3	Willful neglect — violation due to conscious, intentional failure or reckless indifference; corrected within 30 days	High minimum and maximum, significantly elevated, adjusted annually	Annual cap at the high tier, adjusted annually	Partial — correction within 30 days distinguishes Tier 3 from Tier 4 but penalty is still mandatory
Tier 4	Willful neglect — violation due to conscious, intentional failure or reckless indifference; not corrected within 30 days	Highest minimum and maximum, adjusted annually — mandatory penalties at this tier	Annual cap at the highest statutory ceiling, adjusted annually	No — correction after 30 days does not reduce to a lower tier; penalties are mandatory

A critical point in reading the penalty structure: each violation is counted separately. For a systemic failure such as inadequate encryption across all systems, OCR can count each affected individual’s impermissibly disclosed record as a separate violation. A breach affecting thousands of individuals can therefore result in aggregate penalties that approach or reach the annual per-provision cap even at Tier 1 culpability levels. The annual cap provides a ceiling per identical provision per calendar year — it does not cap total penalties across all violated provisions in a single investigation.

How OCR Determines the Applicable Tier

OCR’s penalty determination process involves a detailed factual investigation into what the covered entity or business associate knew, when it knew it, and what actions it took or failed to take. The factors that most directly influence tier placement are the completeness and currency of the organization’s risk assessment program, the existence and implementation status of a written risk management plan, the organization’s history of prior violations and enforcement actions, the financial condition of the entity, and the nature and extent of the harm caused.
A risk assessment that identified the vulnerability exploited in a breach but produced no documented remediation plan — or a remediation plan that was never executed — is one of the most damaging fact patterns for a covered entity in an enforcement investigation. It moves the culpability analysis from Tier 1 (did not know) toward Tier 2 or Tier 3 (knew or should have known; failed to act). The same logic applies to BAA program failures — if a covered entity’s vendor inventory reveals that business associates were operating without executed BAAs, and this condition persisted for an extended period, OCR will evaluate whether the failure constitutes willful neglect.

Criminal Penalties: A Separate Track

In addition to civil monetary penalties, HIPAA violations can give rise to criminal prosecution under 42 USC §1320d-6, administered by the Department of Justice rather than HHS. Criminal penalties apply when PHI is knowingly obtained or disclosed, with penalties escalating based on intent — from obtaining PHI under false pretenses to obtaining PHI with intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm. Criminal prosecution is distinct from and may proceed concurrently with civil enforcement. Individuals — including workforce members — can be prosecuted separately from the covered entity or business associate.

State Attorney General Enforcement

Since HITECH, state attorneys general have independent authority to bring civil actions on behalf of state residents for HIPAA violations. State-level enforcement operates in parallel with OCR enforcement and is not subject to the same annual caps. Several state attorneys general have brought high-profile HIPAA enforcement actions, particularly in response to large breaches affecting state residents. Organizations with multi-state operations or breaches that cross state lines must account for potential parallel state-level exposure when assessing total penalty risk.

Resolution Agreements and Corrective Action Plans

The majority of significant OCR enforcement actions are resolved through Resolution Agreements rather than litigated civil monetary penalty determinations. A Resolution Agreement is a negotiated settlement in which the covered entity or business associate agrees to pay a resolution amount and implement a Corrective Action Plan (CAP) overseen by OCR for a defined period — typically two to three years. CAPs require documented policies, workforce training, risk assessment updates, and regular reporting to OCR. The resolution amount in these agreements is distinct from a formal civil monetary penalty but reflects similar culpability considerations. Organizations under a CAP that commit additional violations during the oversight period face compounded enforcement exposure.

The Relationship Between Penalties and Compliance Investment

The penalty structure is relevant not only as a risk quantification tool but as a compliance program design driver. The factors that OCR uses to determine tier placement — documented risk assessment, implemented risk management plan, workforce training program, complete and current BAA inventory, incident response capability — are precisely the elements of a well-designed HIPAA compliance program. Organizations that maintain these programs are not merely better positioned in enforcement; they are materially less likely to experience the breaches that trigger enforcement in the first place. The Breach Notification Rule and the proposed 2025 Security Rule update both reinforce this connection, with the NPRM specifically citing inadequate risk assessment and absent asset inventories as systemic contributors to the breach rate escalation that motivated the proposed changes.
Armorstack’s 100+ technical experts help healthcare organizations build the documented, auditable compliance programs that reduce both breach probability and enforcement exposure. Our VERITY advisory practice structures your risk assessment and governance documentation. Our SENTRY Managed Detection and Response platform delivers the continuous monitoring that prevents the systemic, undiscovered vulnerabilities that produce the highest-tier penalty findings. Our CORE healthcare IT program addresses the technical control gaps your Security Rule checklist identifies. Start at the compliance hub or engage through the 90-Day Proof to establish your compliance baseline with a no-commitment program structure.