The U.S. Department of Health and Human Services (HHS) has officially increased the penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA), effective January 28, 2026. The adjustments, mandated by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, align penalty amounts with inflation to maintain a deterrent effect on noncompliance.
Updated Penalty Structure
The penalties for HIPAA violations were originally established under the HITECH Act, with four tiers based on the severity of the violation. These tiers and their associated penalties have now been updated annually to account for inflation, with the latest adjustment taking effect on January 28. The current penalty tiers include:
- Tier 1 (Did Not Know): Minimum fine of $145 per violation, up to $73,011, with an annual penalty cap of $2,190,294.
- Tier 2 (Reasonable Cause): Minimum fine of $1,461 per violation, up to $73,011, with an annual penalty cap of $2,190,294.
- Tier 3 (Willful Neglect - Corrected within 30 Days): Minimum fine of $14,602 per violation, up to $73,011, with an annual penalty cap of $2,190,294.
- Tier 4 (Willful Neglect - Not Corrected): Minimum fine of $73,011 per violation, with an annual penalty cap of $2,190,294.
The penalties apply to violations occurring after November 2, 2015, or penalties assessed after September 6, 2016. Violations predating these dates remain subject to pre-adjustment penalty amounts.
sbb-itb-02f5876
Ongoing Adjustments and Enforcement
Federal regulations require all executive departments and agencies, including the HHS Office for Civil Rights (OCR), to apply annual inflation adjustments to civil monetary penalties. The Office of Management and Budget (OMB) determines the inflation multiplier each year, which agencies must implement by a specified deadline. The adjustment for 2025 had been due by January 17, 2025, but was not implemented until January 28, 2026, more than a year behind schedule.
Despite these annual adjustments, the OCR’s 2019 Notice of Enforcement Discretion remains in effect. This notice, issued after the OCR reviewed the HITECH Act, reduced the maximum penalties and annual caps for three of the four penalty tiers. The effective penalties under this notice are as follows:
- Did Not Know: Maximum penalty of $36,505.50 and annual cap of $36,505.50.
- Reasonable Cause: Maximum penalty of $73,011 and annual cap of $146,053.
- Willful Neglect (Corrected within 30 Days): Maximum penalty of $73,011 and annual cap of $365,052.
- Willful Neglect (Not Corrected): Maximum penalty and annual cap remain at $2,190,294.
The OCR retains the authority to rescind the Notice of Enforcement Discretion but cannot change the penalties outlined in the official table without further rulemaking.
Penalties for Part 2 Violations
In addition to HIPAA, OCR now enforces penalties for violations of the Part 2 regulations, which govern the confidentiality of substance use disorder patient records. While the penalty structure mirrors that of HIPAA, the amounts are lower because they are based on the original penalty levels outlined in the 2009 HITECH Act. As of the most recent adjustment, the penalties for Part 2 violations are as follows:
- Did Not Know: Minimum fine of $103 per violation, up to $51,299, with an annual cap of $1,538,970.
- Reasonable Cause: Minimum fine of $1,026 per violation, with maximum and annual caps of $1,538,970.
- Willful Neglect (Corrected within 30 Days): Minimum fine of $10,260, with maximum and annual caps of $1,538,970.
- Willful Neglect (Not Corrected): Minimum fine of $51,299, with maximum and annual caps of $1,538,970.
Conclusion
With these inflation-based adjustments now in effect, organizations subject to HIPAA and Part 2 regulations should take note of the revised penalties to ensure compliance. The HHS aims to uphold the deterrent power of financial penalties while aligning enforcement with current economic conditions. The new penalty amounts are effective immediately from their publication in the Federal Register. Organizations are encouraged to remain vigilant in adhering to privacy and security rules to avoid significant financial repercussions.
