HIPAA Penalty Estimator
Estimate HIPAA civil money penalty exposure for a covered entity or business associate. Pick the culpability tier and enter the number of violations; the tool multiplies by the published per-violation amounts and caps the result at the statutory annual maximum for an identical provision. These are published HHS OCR thresholds (maximum exposure), not a prediction of an actual penalty and not legal advice. Amounts as of Jun 25, 2026 — sources; figures are editable in the data.
At this violation count the exposure is capped at the annual maximum of $2,134,831 per identical provision.
The four HIPAA penalty tiers
| Tier | Culpability | Min / violation | Max / violation | Annual cap |
|---|---|---|---|---|
| Tier 1 | No knowledge | $141 | $71,162 | $2,134,831 |
| Tier 2 | Reasonable cause | $1,424 | $71,162 | $2,134,831 |
| Tier 3 | Willful neglect (cured) | $14,232 | $71,162 | $2,134,831 |
| Tier 4 | Willful neglect (uncured) | $71,162 | $2,134,831 | $2,134,831 |
Low exposure = min( violations × min-per-violation , annual cap )
High exposure = min( violations × max-per-violation , annual cap )
The annual cap applies per identical provision per calendar year; multiple distinct provisions can each carry their own cap.
How it works
HIPAA — the Health Insurance Portability and Accountability Act — protects individuals' protected health information, and the HHS Office for Civil Rights enforces it. When OCR finds a violation it can impose a civil money penalty, and the HITECH Act of 2009 reorganized those penalties into four tiers based on culpability. Each tier carries a minimum and a maximum amount per violation, and an overall annual cap on all violations of an identical requirement within a single calendar year. Because these amounts are tied to inflation, HHS republishes the adjusted figures each year in the Federal Register; the values used here are the representative published amounts, dated on the methodology page and editable in the dataset so the tool stays correct as they rise.
The four tiers escalate with fault. Tier 1 covers violations where the entity did not know, and by exercising reasonable diligence would not have known, of the violation. Tier 2 is "reasonable cause" — the entity knew, or should have known, but the failure did not amount to willful neglect. Tier 3 is willful neglect that was corrected within the required 30-day window, and Tier 4 is willful neglect that was not corrected. The minimum per-violation amount climbs sharply from tier to tier, while the maximum and the annual cap converge at the top, reflecting the law's view that uncorrected, deliberate disregard is the gravest case.
The arithmetic the calculator performs is deliberately simple, but the annual cap gives it a kink. It multiplies your violation count by the tier's minimum per-violation amount to get the low end of the range, and by the maximum to get the high end — then it caps each of those at the annual maximum for an identical provision. A breach can generate a very large number of violations (OCR has historically counted each affected record or each day of non-compliance separately), so for any sizeable incident the high end quickly hits the cap and stops rising. The low end may still be climbing linearly while the high end is already pinned at the cap, which is why the two numbers can converge as violations grow.
This estimator is informational and is not legal advice. It shows the statutory ceiling for awareness and budgeting. In practice the overwhelming majority of HIPAA enforcement actions resolve through a resolution agreement and corrective action plan with a negotiated settlement payment, not a maximum civil money penalty. When OCR does set a penalty it weighs the nature and extent of the violation and of the resulting harm, the entity's compliance history, its financial condition, and whether it acted in good faith — so actual amounts are typically far below the modeled maximum. Determining how many violations occurred, which tier applies, and whether the cap is reached are all fact-specific legal judgments. Consult qualified healthcare-privacy counsel for any real matter.
A worked example
Take the default: a Tier 2 ("Reasonable cause") situation with 1,000 violations.
- Low end = 1,000 × $1,424 = $1,424,000, then capped at $2,134,831 → $1,424,000
- High end = 1,000 × $71,162 = $71,162,000, then capped at $2,134,831 → $2,134,831
Notice how the high end is already at the annual cap even though only 1,000 violations are involved — at $71,162 per violation it takes only a few dozen to reach the ceiling. Switch to Tier 1, where the minimum is far lower, and the low end falls back below the cap and starts scaling with the violation count again. Change the tier or the number of violations above and every figure, including which numbers are capped, updates instantly. To weigh the cost of notifying the affected individuals on top of any penalty, use the breach notification cost calculator; for the EU framework, the GDPR fine estimator.
Frequently asked questions
How are HIPAA civil money penalties structured?
The HITECH Act sorted HIPAA civil money penalties into four culpability tiers, from "no knowledge" up to "willful neglect, not corrected". Each tier has a minimum and a maximum penalty per violation, and an annual cap for all violations of an identical provision in a calendar year. The amounts are inflation-adjusted by HHS each year. This tool multiplies your violation count by the tier's per-violation amounts and then caps the result at the annual maximum.
What counts as a "violation"?
HHS has historically treated each affected record, or each day a requirement went unmet, as a separate violation — so a breach of thousands of records can in principle generate thousands of violations. That is exactly why the annual cap matters: once violations × the per-violation amount exceeds the cap (currently $2,134,831 per identical provision), the cap governs and the exposure stops rising. Counting is a fact-specific legal judgment.
Will OCR actually impose the maximum?
Most HIPAA matters end in a resolution agreement and corrective action plan with a negotiated settlement, not a maximum civil money penalty. OCR weighs the nature and extent of the violation and of the harm, the entity's history of compliance, its financial condition, and whether it acted in good faith. The figures here are the published statutory ceiling for planning; they are informational and not legal advice, and they do not predict what OCR will do in any specific case.
Which tier applies to my situation?
The tier turns on culpability. Tier 1 is for violations the covered entity did not know about and could not reasonably have known about. Tier 2 is "reasonable cause" — the entity should have known but the failure was not willful. Tiers 3 and 4 are both "willful neglect", split by whether the problem was corrected within 30 days. Assigning the right tier is a legal determination OCR makes on the facts; consult qualified healthcare-privacy counsel.
Do criminal penalties work the same way?
No. The amounts modeled here are civil money penalties imposed by HHS OCR. HIPAA also carries separate criminal penalties — fines and imprisonment — prosecuted by the Department of Justice for knowing wrongful disclosure of protected health information. Those are outside the scope of this estimator.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.