HIPAA penalty tiers, and how OCR decides what to fine you

How the tiers work

OCR puts every HIPAA violation into one of four tiers. The tier is decided by the covered entity's culpability — how much they knew, whether they should have known, and what they did once they found out.

Tier 1 — No knowledge. The covered entity didn't know about the violation and couldn't have known with reasonable diligence. Per-violation fines start around $137 and cap at about $68,928 per violation. Annual cap: ~$2.13M, reduced from the original $1.5M cap by inflation adjustments.

Tier 2 — Reasonable cause. The violation happened despite the covered entity exercising reasonable diligence. Per-violation fines run from $1,379 to $68,928. Same annual cap structure.

Tier 3 — Willful neglect, corrected. The covered entity neglected its compliance obligations, but corrected the issue within 30 days of discovery. Per-violation fines run from $13,785 to $68,928. Annual cap around $2.13M.

Tier 4 — Willful neglect, not corrected. The covered entity neglected its obligations and didn't fix the issue within 30 days. Per-violation fines start at $68,928 and have no statutory ceiling per violation, with an annual cap around $2.13M.

The exact dollar amounts adjust each year for inflation. The most recent figures are published in the Federal Register and on the HHS website.

What "per violation" means

A violation isn't an incident. It's a record. If a hospital exposes 5,000 patient records through an unencrypted email, OCR can treat that as 5,000 violations. Multiply by the per-violation cap and the math gets ugly fast.

The annual cap softens this. Even at tier 4, the maximum OCR can collect from a single covered entity in a calendar year is around $2.13M. But that's per category of violation per year — and major settlements often span multiple categories (failure to do a risk analysis, failure to implement access controls, failure to notify in time), each with its own annual cap.

That's how Anthem's 2018 settlement reached $16M. Multiple categories, multiple years of conduct, multiple millions of records exposed.

What pushes a case from tier 1 to tier 4

Three things, in our experience.

The first is whether the covered entity had a current risk analysis. The HIPAA Security Rule requires one under 45 CFR §164.308(a)(1)(ii)(A). Practices without one almost always end up in tier 3 or 4 because the absence proves they didn’t exercise reasonable diligence. The OCR Risk Analysis Initiative — 12 enforcement actions through 2025 — was specifically built around this.

The second is how the practice responded once OCR opened an investigation. Cooperative practices that produced documents promptly, implemented corrective action plans, and signed resolution agreements landed in tier 2 or 3. Practices that stonewalled, missed deadlines, or contested every request landed in tier 4.

The third is whether the violation harmed patients in a way OCR can document. Breaches affecting more patients, breaches involving sensitive data (mental health, reproductive, HIV), and breaches with evidence of actual misuse all push the tier higher.

Real-world examples

The Risk Analysis Initiative cases give a current view of how OCR is calibrating penalties for smaller practices.

BST & Co. CPAs (business associate) — $175K, August 2025
Top of the World Ranch Treatment Center — $103K, February 2026
NERAD radiology — $350K, April 2025
Deer Oaks Behavioral Health — $225K, July 2025
MMG Fusion (dental marketing software) — $10K + 3-year corrective action plan, March 2026

The dollar amounts aren't huge by enterprise standards, but they're significant for solo and small-group practices. And the corrective action plans are often more burdensome than the fines — they require third-party audits, regular reporting to OCR, and multi-year compliance commitments.

Class actions are a separate track

OCR penalties are one thing. Class action damages are another. Advocate Aurora paid $12.25M to the class, separate from any OCR action. Novant paid roughly $6.6M. The class actions don't rely on OCR's penalty tiers — they're built on state-law theories like wiretap statutes and common-law negligence. The two tracks compound.

What this means for a small practice

If OCR opens an investigation, the variables you can control are: do you have a current risk analysis, did you document it, and how fast can you respond. Practices that nail those three usually settle in the low five figures. Practices that don’t can end up in the mid six figures, plus a corrective action plan that runs three to five years.

The single most cost-effective HIPAA investment we see is keeping your risk analysis current. It’s the first thing OCR asks for and the largest determinant of your tier.

Primary sources and citations

45 CFR §160.404. HITECH Act §13410(d), 42 U.S.C. §1320d-5. HHS, "Notice of Enforcement Discretion Regarding HIPAA Civil Money Penalties," 84 Fed. Reg. 18151 (April 30, 2019). Annual penalty adjustments published in the Federal Register.

This article is general information, not legal advice. Talk to a healthcare attorney about your specific situation.

HIPAA penalty tiers, and how OCR decides what to fine you

How the tiers work

What "per violation" means

What pushes a case from tier 1 to tier 4

Real-world examples

Class actions are a separate track

What this means for a small practice

Related articles in the Knowledge Center.

What to do in the first 30 days after finding tracking pixels on your healthcare website

What counts as PHI on your website

The OCR Tracking Technologies Bulletin in 800 words

Find what an underwriter or plaintiff firm would find. In 60 seconds.