Awareness article
HIPAA Breach Fines Explained: OCR Penalty Tiers
How OCR calculates HIPAA civil monetary penalties, the four culpability tiers under 45 CFR 160.404, annual inflation adjustments, and what drives penalty amounts for small clinics.
Short answer
HIPAA civil monetary penalties are calculated across four culpability tiers, from unknowing violations through willful neglect not corrected. The amounts are adjusted annually under the Federal Civil Penalties Inflation Adjustment Act. Repeat violations and cooperation with OCR are the two biggest factors in final penalty size.
HIPAA civil monetary penalties are not a single number. They are structured across four culpability tiers, each carrying its own per-violation range and calendar-year cap. The tier a violation falls into depends on what the covered entity knew and what it did about it.
The four culpability tiers
Under 45 CFR 160.404, penalties are grouped as follows. The base statutory ranges (before annual inflation adjustment) are:
| Tier | Description | Per-violation base range | Statutory annual cap |
|---|---|---|---|
| 1 | Did not know | $100-$50,000 | $25,000 |
| 2 | Reasonable cause | $1,000-$50,000 | $100,000 |
| 3 | Willful neglect, corrected within 30 days | $10,000-$50,000 | $250,000 |
| 4 | Willful neglect, not corrected | $50,000 | $1,500,000 |
Tier 1 - Did not know. The covered entity did not know and, by exercising reasonable diligence, would not have known about the violation. This tier carries the lowest per-violation minimum.
Tier 2 - Reasonable cause. The violation was due to reasonable cause, not willful neglect. The covered entity was aware or should have been aware of the risk but did not act with conscious disregard.
Tier 3 - Willful neglect, corrected. The violation resulted from willful neglect but was corrected within 30 days of the date the covered entity knew or should have known. Correcting within that window moves the violation out of the highest tier.
Tier 4 - Willful neglect, not corrected. The violation resulted from willful neglect and was not corrected within 30 days. This tier carries the highest per-violation minimum and the highest annual cap.
Inflation adjustments
Penalty amounts are adjusted each January under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. HHS publishes the updated amounts in the Federal Register. The annual caps in the table above reflect the statutory base amounts established under HITECH. Each cap is adjusted upward for inflation - for example, the statutory $1,500,000 Tier 4 cap adjusts to approximately $2,190,294 under the 2025 Federal Register notice. Lower-tier caps are similarly adjusted in proportion. The four-tier structure itself has not changed since HITECH established it. For the current inflation-adjusted figures applicable to a specific calendar year, consult the current version of 45 CFR 160.404 in eCFR and the most recent Federal Register notice.
How OCR calculates the actual penalty
Within each tier, OCR considers aggravating and mitigating factors under 45 CFR 160.408. Factors that raise the penalty include:
- the number of individuals affected
- the harm caused by the violation
- prior violations by the same covered entity
- whether the covered entity concealed the violation
Factors that lower the penalty include:
- financial circumstances of the covered entity
- good faith effort to cooperate
- prompt self-disclosure
- corrective action already taken before the resolution
Most small-clinic enforcement actions do not result in maximum-tier penalties. OCR typically resolves smaller clinics through a corrective action plan (CAP) after an informal review, especially when the violation was the result of an oversight rather than deliberate disregard.
State attorney general enforcement
State AGs can also bring civil actions for HIPAA violations that harm state residents, under HITECH. State penalties are separate from OCR penalties and can run concurrently. Several state AGs have used this authority, particularly for breaches affecting large numbers of residents.
What matters for small clinics
The difference between Tier 1 and Tier 4 is not just about the breach itself - it is about the paper trail the clinic has or does not have. A clinic that has documented its risk analysis, maintains an incident register, and can show it addressed a known gap when it was discovered is far better positioned to argue Tier 1 or 2 treatment than a clinic that cannot reconstruct its compliance history.
Related reading: how to report a HIPAA violation to OCR and the four-factor breach risk assessment.
PHIGuard commercial baseline
PHIGuard uses flat per-clinic pricing rather than per-user fees. A Business Associate Agreement is included on every public plan. The primary trial path is a 30-day free trial with no credit card required. See current PHIGuard pricing for plan names, monthly list prices, annual totals, and current limited offer details.
Incident Response
How to determine whether an incident is a reportable breach, document the analysis, and meet notification obligations.
HIPAA Breach Statistics 2025: Patterns Every Clinic Admin Should Know
HIPAA breach statistics 2025: breach type trends from the OCR portal, what small clinics can learn from large breach patterns, and where prevention...
The HIPAA Wall of Shame: What the HHS Breach Portal Shows
HIPAA wall of shame explained: what the HHS OCR breach portal shows, how breach type categories work, and how to use public breach data to reduce your...
Sources
- 45 CFR 160.404 - Amount of a Civil Money Penalty · Legal Information Institute
- HIPAA Enforcement Results · HHS OCR
- Civil Monetary Penalties Inflation Adjustment · Federal Register
- Breach Notification Rule · HHS OCR