HIPAA Penalty Calculator

About the HIPAA Penalty Calculator

HIPAA (Health Insurance Portability and Accountability Act) violations can result in significant civil monetary penalties, structured across four tiers based on the violator's level of culpability. In the January 2026 HHS inflation-adjustment table used on this page, HIPAA penalties range from $145 per violation in the lowest tier to $73,011 per violation in the highest tier, with a calendar-year cap of up to $2,190,294 in the federal penalty table.

This calculator estimates HIPAA penalties based on the violation tier, number of violations, and the federal annual cap used in the HHS penalty table. It helps covered entities and business associates understand their financial exposure and prioritize compliance investments in protecting Protected Health Information (PHI).

When This Page Helps

HIPAA violations carry both civil and potentially criminal penalties. Understanding the penalty structure helps healthcare organizations, business associates, and technology vendors serving healthcare prioritize security investments and quantify the cost of non-compliance.

How to Use the Inputs

1. Select the violation tier (1–4) based on culpability level.
2. Enter the number of violations.
3. Review the per-violation penalty and total before cap.
4. See the annual cap applied per violation category.
5. Note that criminal penalties may apply separately.

Example Calculation

Tips & Best Practices

• The federal annual cap in the HHS penalty table is adjusted over time and should be checked each year.
• Criminal penalties (up to $250K and imprisonment) apply separately from civil penalties.
• Breach notification failures are separate violations from the underlying breach.
• Business associates can face direct HIPAA liability under the modern Omnibus/HITECH enforcement structure.
• Voluntary self-disclosure and prompt correction reduce effective penalties.
• State attorneys general can also bring HIPAA enforcement actions.

HIPAA Penalty Structure

The four-tier penalty system was established by HITECH and later updated through OCR rulemaking and annual inflation adjustments. The tiered approach makes penalties proportional to culpability, while the annual HHS penalty table updates the dollar amounts over time. OCR also weighs case-specific factors such as violation severity, organizational size, compliance history, cooperation, and corrective action.

Criminal vs. Civil Penalties

Criminal penalties are separate: up to $50,000 and 1 year for basic knowing violations, up to $100,000 and 5 years for false pretenses, and up to $250,000 and 10 years for personal gain or malicious harm. Criminal penalties are comparatively rare and apply to individuals, not just organizations.

Resolution Agreements vs. Civil Money Penalties

Many HIPAA enforcement matters end in resolution agreements rather than the maximum civil money penalty. Those resolutions often combine a monetary settlement with a corrective action plan monitored for multiple years. That means this calculator is best used as an exposure worksheet, not as a prediction of what OCR will assess in any specific case.

Compliance Program Impact

Organizations with mature HIPAA programs, including risk analysis, documented safeguards, training, incident response, and prompt remediation, are generally in a stronger position when OCR evaluates a case. The calculator is most useful when paired with a real compliance review, not as a substitute for one.

Frequently Asked Questions

• What are the four HIPAA penalty tiers?

  Tier 1: Did not know ($145–$73,011). Tier 2: Reasonable cause, not willful neglect ($1,461–$73,011). Tier 3: Willful neglect, corrected within 30 days ($14,602–$73,011). Tier 4: Willful neglect, not corrected ($73,011 minimum). Each tier reflects escalating levels of culpability.

• What is the annual cap?

  The federal penalty table published by HHS applies a calendar-year cap to identical violations, and the 2026 inflation-adjusted table used on this page reaches up to $2,190,294. OCR has also discussed enforcement discretion for lower-culpability tiers, so the applied cap in a real case can be more nuanced than a single headline figure.

• Who enforces HIPAA?

  The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is the primary HIPAA enforcement body. State attorneys general can also bring enforcement actions. The DOJ handles criminal HIPAA violations.

• What are common HIPAA violations?

  Impermissible uses/disclosures of PHI, lack of safeguards for ePHI, failure to conduct risk analyses, lack of patient access to records, failure to provide breach notification, and insufficient business associate agreements.

• Does HIPAA apply to my tech company?

  If your company creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity, you are a business associate subject to HIPAA. This includes cloud providers, EHR vendors, billing services, and IT support companies.

• What are the largest HIPAA fines?

  Large OCR enforcement actions and civil money penalties have reached into the millions of dollars. These cases demonstrate that enforcement is active and that prolonged, systemic violations can produce substantial financial exposure beyond the direct incident-response cost.