The maximum civil monetary penalty for a single HIPAA violation assessed on or after January 28, 2026 is $2,190,294, and separate criminal penalties can apply for intentional misconduct, including imprisonment.
Maximum Civil Monetary Penalty Amounts For 2026
Civil monetary penalties are assessed per violation and are based on the level of culpability. The highest tier applies when a violation is attributable to willful neglect and is not corrected within the permitted period.
The inflation-adjusted civil monetary penalty amounts in effect for penalties assessed on or after January 28, 2026 are shown below.
| Penalty Tier | Level Of Culpability | Minimum Per Violation | Maximum Per Violation | Annual Limit For Identical Violations |
|---|---|---|---|---|
| Tier 1 | Reasonable Efforts | $145 | $73,011 | $2,190,294 |
| Tier 2 | Lack Of Oversight | $1,461 | $73,011 | $2,190,294 |
| Tier 3 | Neglect Rectified Within 30 Days | $14,602 | $73,011 | $2,190,294 |
| Tier 4 | Neglect Not Rectified Within 30 Days | $73,011 | $2,190,294 | $2,190,294 |
Maximum Penalty Per Violation And Maximum Annual Limit
The maximum per-violation amount is the top-tier maximum.
$2,190,294 is the maximum per violation in Tier 4.
The annual limit applies to multiple violations of the same requirement or prohibition. The Tier 4 annual limit is $2,190,294 for identical violations within a calendar year.
A single enforcement action can include multiple violation types. Separate annual limits can apply to each distinct requirement or prohibition cited in the resolution.
Annual Caps Applied By The Office For Civil Rights
The Office for Civil Rights has applied reduced annual penalty caps for Tiers 1 through 3 as a matter of enforcement discretion. The tier-level annual caps calculated from that approach for the same January 28, 2026 penalty amounts are listed below.
Tier 1 annual cap $36,505.50
Tier 2 annual cap $146,053
Tier 3 annual cap $365,052
Tier 4 annual cap $2,190,294
Tier 4 remains the ceiling for maximum exposure within a single tier for identical violations.
Criminal Penalties For Intentional Misconduct
Criminal penalties are separate from civil monetary penalties and apply to certain knowing or wrongful acts involving protected health information.
A knowing wrongful disclosure can result in fines and imprisonment for up to 1 year.
Offenses committed under false pretenses can result in higher fines and imprisonment for up to 5 years.
Offenses committed with intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm can result in fines and imprisonment for up to 10 years.
Criminal enforcement is pursued by the U.S. Department of Justice rather than through the civil penalty process.
Enforcement Outcomes Beyond Monetary Penalties
Enforcement resolutions can include corrective action obligations, monitoring commitments, and reporting requirements. Financial exposure can also include state attorney general actions under state law and costs related to breach response activities when unsecured protected health information is involved.