HHS Increases Civil Monetary Penalty Amounts for 2025
The Department of Health and Human Services (HHS) has published new civil penalty amounts in the Federal Register, having applied the cost-of-living multiplier set by the Office of Management and Budget (OMB) for 2025. The inflation multiplier of 1.02598 is based on the Consumer Price Index for all Urban Consumers (CPI-U) for the month of October 2024.
The new penalties were published in the Federal Register on January 28, 2026, and apply to all HHS penalties, including the penalties for HIPAA violations. Cost-of-living increases to civil monetary penalties are not subject to standard notice and comment procedures, which involve a delay to the effective date. The HHS will use the new penalty amounts with immediate effect.
The penalties for HIPAA violations were increased by the HITECH Act and are based on the level of culpability. There are four penalty tiers: No knowledge; reasonable cause; willful neglect (corrected), and willful neglect (not corrected). The penalties for violations of a single provision of the HIPAA Rules range from $100 per violation in the lowest tier to $1,500,000 per violation in the highest tier. There is a cap in each penalty tier for violations of the same provision in a calendar year.
The penalties for HIPAA violations are subject to annual increases in line with inflation to ensure the deterrent effect is maintained. While OMB states that the annual increases should be applied no later than January 15 of each year, the HHS usually applies the increases much later. Prior to the January 28, 2026, increase, the HHS last increased the penalties for HIPAA violations on August 8, 2024, using the OMB cost-of-living multiplier based on the CPI-U set in October 2023.
Including the latest update, the penalty amounts for HIPAA violations now range from $145 per violation to $2,190,294 per violation, as detailed in the table below.
| Tier | Minimum Penalty | Maximum Penalty | Annual Penalty Cap |
| 1. Did Not Know | $145 | $73,011 | $2,190,294 |
| 2. Reasonable Cause | $1,461 | $73,011 | $2,190,294 |
| 3. Willful Neglect (Corrected within 30 days) | $14,602 | $73,011 | $2,190,294 |
| 4. Willful Neglect (Not corrected within 30 days) | $73,011 | $2,190,294 | $2,190,294 |
The above penalties are based on the HHS’s interpretation of the language of the HITECH Act of 2009; however, following a review, OCR determined that the language had been misinterpreted with respect to the penalty amounts in three of the four penalty tiers. OCR issued a Notice of Enforcement Discretion in 2019, reducing the penalties in three of the four tiers. The effective penalties, according to that notice, are detailed in the table below, rounded up to the nearest dollar, having had the cost-of-living increases applied.
| Tier | Minimum Penalty | Maximum Penalty | Annual Penalty Cap |
| Did Not Know | $145 | $36,506 | $36,506 |
| Reasonable Cause | $1,461 | $73,011 | $146,053 |
| Willful Neglect (Corrected within 30 days) | $14,602 | $73,011 | $365,052 |
| Willful Neglect (Not corrected) | $73,011 | $2,190,294 | $2,190,294 |
All of these civil monetary penalties will be subject to an increase to apply the 2026 cost-of-living multiplier. Since one increase has already been applied this year, it will likely be late 2026 or 2027 before the next increase is applied. OCR has been pushing Congress to legislate to increase the penalties for HIPAA violations. Should those efforts prove successful, any further increases in the penalties would require further HHS rulemaking, which would be subject to the standard notice and comment procedures.
