HIPAA breach penalties: $137 to $2.07M per violation, annual cap.

Figures shown are 2025 inflation-adjusted under the Federal Register annual update. Source: HHS Office for Civil Rights and the Federal Register annual civil monetary penalty inflation adjustment.

The tier assignment is determined by the culpability of the covered entity. Tier 1 (lack of knowledge) applies when the entity did not know and could not have known of the violation through reasonable diligence. Tier 2 (reasonable cause) applies when the entity knew or should have known but the violation was not the result of willful neglect. Tier 3 (willful neglect, corrected) applies when the violation resulted from conscious, intentional failure or reckless indifference to the obligation but was corrected within 30 days. Tier 4 (willful neglect, not corrected) applies when there was no correction within 30 days.

The 2019 HHS Notification of Enforcement Discretion (84 FR 18151) implemented a reading of the HITECH Act that capped Tiers 1-3 at $25,000 per year for identical violations, with only Tier 4 reaching the $1.5M-then-inflation-adjusted cap. The Notification was challenged on grounds that it was inconsistent with the statute and a 2023 OCR rulemaking re-set all four tiers at the full inflation-adjusted $2.07M annual cap as shown above. The 2025 figures reflect this restoration.

The OCR enforcement portal at hhs.gov/hipaa publishes all monetary settlements and corrective action plans. The Anthem $16M settlement remains the largest on record as of mid-2026, with the Change Healthcare 2024 OCR investigation widely expected to displace it.

The annual cap of $2.07M applies per identical violation per calendar year. Distinct violations from a single incident stack. In the Anthem case, OCR identified four distinct categories of violation: failure to conduct enterprise-wide risk analysis, failure to implement procedures to regularly review information-system activity, failure to identify and respond to suspected security incidents, and failure to implement adequate minimum access controls. Each was treated as a distinct violation for cap purposes, allowing the aggregate to reach $16M.

For larger breaches the stack can be more complex. Where the OCR investigation finds violations spanning multiple calendar years (a 4-year unpatched system, for example) the cap can apply per year per violation, potentially producing eight-figure aggregate exposure on a single technical failure. The OCR's 2023 enforcement statement clarified that the 30-day correction window for Tier 3 vs Tier 4 starts at the moment the entity became aware of the violation, not at the moment of OCR's notification, which has the effect of preserving Tier 3 status for entities that self-detected and self-corrected before OCR engagement.

Beyond the civil money penalty, every OCR resolution agreement includes a corrective action plan typically lasting two to three years with quarterly reporting. The corrective action plan is in many cases more consequential than the monetary penalty, because it requires documented restructuring of the entity's information-security programme under OCR supervision. The total cost of corrective action compliance typically runs $1M-$10M depending on the entity's starting posture, in addition to the headline penalty.

The HIPAA Breach Notification Rule (45 CFR 164.408) requires covered entities to notify the Secretary of HHS of breaches affecting 500 or more individuals concurrently with notifying affected individuals. HHS publishes these breaches on the OCR Breach Portal, frequently called the "Wall of Shame". The portal contains every healthcare breach of 500+ individuals reported since the rule took effect in 2009, with over 6,200 distinct breaches listed by mid-2026.

The portal is the single most useful public dataset for benchmarking healthcare-breach scale and frequency. It is searchable by year, state, entity type (covered entity vs business associate), breach type (hacking/IT incident, theft, loss, improper disposal, unauthorized access), and location of breached information (network server, electronic medical record, email, paper records, laptop, desktop, etc.). For research on healthcare breach cost, the portal's record-count data is the canonical denominator.

For breaches affecting fewer than 500 individuals, the covered entity must notify HHS within 60 days after the end of the calendar year in which the breach occurred. These smaller breaches are not on the public portal but are tracked internally by OCR.

HIPAA itself does not provide a private right of action for affected individuals, but state attorneys general have HIPAA enforcement authority under HITECH Act amendments. State AG enforcement typically follows state consumer-protection statutes that reference HIPAA standards as defining the duty of care. The Anthem $39.5M multistate AG settlement covering 43 states and DC is the largest of its kind to date.

Class-action exposure operates through state-law negligence and consumer-protection theories. The Anthem $115M class-action settlement and the Premera $74M class-action settlement establish the typical range for large-record-count healthcare breach class actions. Per-class-member effective compensation typically runs $1-$5 (excluding credit monitoring), with total class-action exposure for a mega-breach in the $100M-$400M range depending on the data sensitivity and the duration of dwell time.

Stacking OCR penalty, state AG settlement, and class-action settlement, a major healthcare breach typically produces aggregate regulator-plus-civil exposure of $30M-$300M before internal response and remediation cost. The Change Healthcare 2024 settlement aggregates, once finalised, are likely to substantially exceed this range given the unprecedented record count.