The U.S. Department of Health and Human Services (HHS) has announced an increase in penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA), effective immediately as of January 28, 2026. The adjustment was made in compliance with the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, which mandates annual updates to penalty amounts to account for inflation.
New Penalty Adjustments
The HHS Office for Civil Rights (OCR), the body responsible for enforcing HIPAA, applies these penalty increases each year based on a multiplier issued by the Office of Management and Budget (OMB). The penalties, which are applied to violations of HIPAA rules, are structured in tiers depending on the severity of the violation. Originally established with the introduction of the HITECH Act, the penalty tiers are as follows:
- Tier 1: Minimum fine of $100 per violation up to $50,000.
- Tier 2: Minimum fine of $1,000 per violation up to $50,000.
- Tier 3: Minimum fine of $10,000 per violation up to $50,000.
- Tier 4: Minimum fine of $50,000 per violation, capped at $1,500,000 annually for repeated violations of the same provision.
While these penalties have been increased in line with inflation annually since the HITECH Act’s introduction, OCR has historically delayed enforcement of these adjustments. For example, the 2025 penalty updates, originally due by January 17, 2025, were not implemented until January 28, 2026. The OMB has not yet issued the multiplier for 2026 penalties.
sbb-itb-02f5876
Current Penalty Rates for 2025
The most recent penalty amounts, effective as of 2025, reflect the following structure:
| Penalty Tier | Minimum Penalty | Maximum Penalty | Annual Penalty Cap |
|---|---|---|---|
| Did Not Know | $145 | $73,011 | $2,190,294 |
| Reasonable Cause | $1,461 | $73,011 | $2,190,294 |
| Willful Neglect (Corrected within 30 days) | $14,602 | $73,011 | $2,190,294 |
| Willful Neglect (Not Corrected) | $73,011 | $2,190,294 | $2,190,294 |
OCR has also emphasized that penalties for violations occurring before November 2, 2015, or penalties assessed before September 6, 2016, will remain at pre-adjustment levels.
Notice of Enforcement Discretion
It is worth noting that OCR issued a "Notice of Enforcement Discretion" in 2019, which reduced the maximum penalties and annual caps in three of the four penalty tiers. This adjustment, based on an internal review of the HITECH Act, remains in effect. The effective penalty amounts under this notice are:
| Penalty Tier | Minimum Penalty | Maximum Penalty | Annual Penalty Cap |
|---|---|---|---|
| Did Not Know | $145 | $36,505.50 | $36,505.50 |
| Reasonable Cause | $1,461 | $73,011 | $146,053 |
| Willful Neglect (Corrected within 30 days) | $14,602 | $73,011 | $365,052 |
| Willful Neglect (Not Corrected) | $73,011 | $2,190,294 | $2,190,294 |
OCR retains the authority to rescind the Notice of Enforcement Discretion at any time and revert to the original penalty structure outlined in the HITECH Act.
Penalties for Part 2 Regulations
In addition to enforcing HIPAA penalties, OCR now oversees penalties related to Part 2 regulations, which govern the confidentiality of substance use disorder treatment records. However, penalties for violations of these regulations are lower because they adhere to the original figures stipulated by the HITECH Act without annual inflation adjustments. As published in the Federal Register, the 2026 penalties for Part 2 violations are as follows:
| Penalty Tier | Minimum Penalty | Maximum Penalty | Annual Penalty Cap |
|---|---|---|---|
| Did Not Know | $103 | $51,299 | $1,538,970 |
| Reasonable Cause | $1,026 | $1,538,970 | $1,538,970 |
| Willful Neglect (Corrected within 30 days) | $10,260 | $1,538,970 | $1,538,970 |
| Willful Neglect (Not Corrected) | $51,299 | $1,538,970 | $1,538,970 |
Although Part 2 data is considered more sensitive, the penalties for violations remain less severe than those for HIPAA violations.
Looking Ahead
As new inflation multipliers are issued by the OMB, further adjustments to HIPAA violation penalties are expected. For now, the updated rates aim to maintain the financial deterrent against non-compliance and encourage adherence to HIPAA and Part 2 regulations. The new penalty amounts are effective immediately from their publication in the Federal Register. Organizations subject to these regulations should ensure compliance to avoid costly fines.
