Estimate HIPAA violation penalties by tier. Calculate fines from $137 to $68,928 per violation with annual maximums up to $2,067,813 per violation category.
The HIPAA Fine Calculator estimates civil penalty exposure under the four-tier HIPAA enforcement structure used by HHS OCR. It shows the minimum and maximum per-violation amounts for the selected tier, multiplies those figures by the number of violations entered, and then applies the annual cap for identical violation categories.
That makes the page useful for compliance planning and internal risk review, but it is still only a worksheet. OCR can consider the facts of the violation, the entity's corrective action, the scope of harm, and other enforcement factors when determining what penalty is actually sought or resolved.
HIPAA penalty schedules are easy to misread because the same incident can be described in terms of per-violation amounts, annual caps, breach counts, and separate corrective-action obligations. This page keeps the math visible so you can compare tiers and see when the annual cap changes the result.
Tier A (Did Not Know): $137–$68,928/violation, max $2,067,813/year Tier B (Reasonable Cause): $1,379–$68,928/violation, max $2,067,813/year Tier C (Willful Neglect — Corrected): $13,785–$68,928/violation, max $2,067,813/year Tier D (Willful Neglect — Not Corrected): $68,928/violation, max $2,067,813/year
Result: $2,067,813 (annual cap applies)
Tier C penalties at $13,785/violation for 500 violations would be $6,892,500, but the annual cap of $2,067,813 per violation category applies, limiting the total to $2,067,813.
The four-tier structure recognizes that not all violations reflect the same level of culpability. Organizations that unknowingly violate HIPAA face much lower penalties than those that willfully neglect their obligations. This graduated approach incentivizes good faith compliance efforts.
Covered entities must notify affected individuals within 60 days of discovering a breach. Breaches affecting 500+ individuals require notification to HHS and prominent media outlets. Failure to provide timely notification is itself a violation.
The average cost of a healthcare data breach exceeds $10 million. Investing in encryption, access controls, employee training, and regular risk assessments typically costs a fraction of breach response and penalty expenses.
Last updated:
This page applies the four HIPAA civil-penalty tiers shown on the page by multiplying the selected per-violation minimum and maximum amounts by the number of violations entered, then capping the totals at the annual limit for identical violation categories. It is intended to show the penalty framework and the effect of the annual cap, not to predict the exact result of an OCR enforcement action.
Actual HIPAA resolutions depend on the facts of the violation, corrective action, cooperation, financial condition, and how OCR characterizes the conduct. Criminal exposure, corrective-action plans, breach-notification duties, and state-law penalties are outside the scope of this worksheet.
HHS OCR investigates complaints from individuals, breach reports (mandatory for breaches affecting 500+ individuals), and compliance reviews. All breaches affecting 500+ individuals are posted on the HHS breach portal and investigated.
Tier A covers violations the entity did not know about. Tier B covers violations due to reasonable cause but not willful neglect. Tier C covers willful neglect that was corrected within 30 days. Tier D covers willful neglect that was not timely corrected.
Yes, individuals who knowingly obtain or disclose protected health information can face criminal penalties including fines up to $250,000 and imprisonment up to 10 years. Civil penalties apply to covered entities and business associates.
Yes, the $2,067,813 annual maximum applies per calendar year per identical violation provision. A continuing violation across multiple years could result in penalties exceeding one year's cap.
The most common violations include failure to conduct risk assessments, insufficient access controls, lack of encryption, improper disposal of records, failure to provide breach notification, and unauthorized access by employees. Review your results periodically to ensure they still reflect current conditions.
State attorneys general can also enforce HIPAA and may impose additional penalties under state health data privacy laws. Some states have stricter requirements than HIPAA, and entities must comply with the most protective standard.