How Much Can OCR Fine a Healthcare Provider for HIPAA Violations?

The HITECH Act penalty tiers

The HITECH Act of 2009 established a four-tier penalty structure for HIPAA violations. These tiers are based on the level of culpability, and the amounts are adjusted annually for inflation. As of 2026, the tiers are:

Tier 1: Did not know (and could not reasonably have known)

The covered entity was not aware of the violation and, by exercising reasonable diligence, would not have known about it.

• Minimum: $100 per violation
• Maximum: $50,000 per violation
• Annual cap: $31,987 per violation category

Tier 2: Reasonable cause (not willful neglect)

The violation was due to reasonable cause — the entity knew or should have known about the issue but it was not due to willful neglect.

• Minimum: $1,000 per violation
• Maximum: $50,000 per violation
• Annual cap: $127,949 per violation category

Tier 3: Willful neglect, corrected within 30 days

The violation resulted from willful neglect of HIPAA requirements, but the entity corrected the issue within 30 days of discovery.

• Minimum: $10,000 per violation
• Maximum: $50,000 per violation
• Annual cap: $319,865 per violation category

Tier 4: Willful neglect, not corrected

The violation resulted from willful neglect and was not corrected within 30 days. This is the only tier where OCR is required to impose a penalty — all other tiers are discretionary.

• Minimum: $50,000 per violation
• Maximum: $50,000 per violation
• Annual cap: $1,919,173 per violation category

How penalties add up

A single data breach can involve multiple violations of multiple HIPAA provisions. For example, a breach caused by a stolen unencrypted laptop could involve violations of the risk analysis requirement, the encryption specification, the device and media controls standard, and the breach notification timeline. Each provision is a separate violation category with its own annual cap.

Additionally, each affected individual can constitute a separate violation. A breach affecting 5,000 patients could theoretically represent 5,000 violations of a single provision. While OCR does not always calculate penalties this way, the statutory authority exists — which is why settlements for large breaches reach into the millions.

What "willful neglect" means in practice

Willful neglect is the determination that carries the highest penalties and the only mandatory enforcement. OCR defines it as "conscious, intentional failure or reckless indifference to the obligation to comply."

In enforcement practice, willful neglect findings commonly involve:

• Never conducting a risk analysis. If you have been a covered entity for years and have never performed a documented risk assessment, OCR views this as reckless indifference to a known requirement.
• Identifying risks and ignoring them. Conducting a risk analysis that identifies critical vulnerabilities, then taking no action. This is arguably worse than never assessing — you have documented evidence that you knew about the risk.
• Unencrypted ePHI on portable devices. After years of OCR guidance, enforcement actions, and breach reports involving stolen laptops and USB drives, failing to encrypt portable devices is increasingly treated as willful neglect.
• Repeated violations. If OCR has previously investigated you or provided technical assistance, and the same deficiencies appear in a subsequent investigation, the inference of willful neglect is strong.

What triggers an OCR investigation

OCR does not investigate every covered entity. Investigations are initiated through three primary channels:

• Breach reports.Under the Breach Notification Rule (45 CFR §§ 164.400–414), covered entities must report breaches of unsecured ePHI. Breaches affecting 500 or more individuals are posted on OCR's public breach portal and receive priority investigation.
• Individual complaints. Patients, employees, or anyone else can file a complaint with OCR. Complaint-driven investigations have led to some of the largest penalties.
• Compliance reviews. OCR conducts proactive audits and compliance reviews, including the Phase 2 HIPAA Audit Program. These are less common but cover a broad range of Security Rule and Privacy Rule requirements.

Recent enforcement examples

OCR publishes resolution agreements and civil money penalty determinations on its website. Recent patterns include:

• Risk analysis failures dominate. More than half of 2024–2025 enforcement actions cited the failure to conduct a documented risk analysis under 45 CFR § 164.308(a)(1)(ii)(A). This is the most common finding across practices of all sizes.
• Small practices are not exempt. OCR has imposed penalties on solo practitioners, small group practices, and individual providers. Settlement amounts for small entities typically range from $50,000 to $500,000 — significant enough to threaten the viability of a small practice.
• Right of access enforcement wave. OCR has pursued dozens of enforcement actions under the HIPAA Right of Access initiative, targeting providers who failed to provide patients with timely access to their records. Penalties have ranged from $3,500 to $240,000.
• Business associates are targets too. OCR increasingly pursues business associates directly, not just through their covered entity clients. BA settlements have exceeded $1 million.

How to reduce your enforcement exposure

OCR has broad discretion in Tiers 1–3. The factors they consider when determining whether to investigate and how much to penalize include:

1. Conduct a documented risk analysis. This is the single most effective step. It is the most-cited deficiency, and having a current, thorough risk analysis is the strongest evidence of good-faith compliance.
2. Act on your findings. A risk analysis that identifies problems without a remediation plan is evidence against you, not for you. Prioritize high risks and track remediation.
3. Encrypt ePHI. Encryption is a safe harbor under the Breach Notification Rule. If a device is lost or stolen and the ePHI on it is encrypted, it is not a reportable breach. No breach report means no OCR investigation triggered.
4. Train your workforce. Document the training. Include phishing awareness, password policies, and incident reporting procedures.
5. Cooperate with OCR. If OCR contacts you, cooperate fully and promptly. Organizations that cooperate, provide requested documentation, and demonstrate corrective action receive significantly lower penalties.
6. Correct issues within 30 days. The difference between Tier 3 and Tier 4 is whether you corrected the problem within 30 days. Tier 4 carries mandatory penalties. Tier 3 is discretionary.

How BlackSheep reduces your risk

BlackSheep's HIPAA compliance platform helps healthcare organizations build the documented compliance posture that OCR looks for. Guided risk analysis, policy documentation, training tracking, remediation management, and audit trails — all stored with timestamps and version history. If OCR ever asks what you were doing to comply, you have an answer.