Estimate what a HIPAA violation could cost, then prevent it.

Civil penalties: the four tiers that decide the number

When the Office for Civil Rights, the part of the Department of Health and Human Services that enforces HIPAA, finds a violation, it sets the civil penalty using a four-tier system based on culpability. Culpability is just a formal word for how much the organization knew and how it behaved. The less you knew and the faster you fixed the problem, the lower the tier and the smaller the penalty. The structure lives in the statute at 42 USC 1320d-5 and the regulation at 45 CFR 160.404, and the actual dollar amounts are published in the federal penalty table at 45 CFR 102.3, which HHS adjusts for inflation every year.

Tier 1 covers violations you did not know about and could not reasonably have known about even with proper care. Tier 2 covers violations due to reasonable cause that do not rise to willful neglect, meaning there was a real reason it happened but you should have been more careful. Tier 3 covers willful neglect, a conscious disregard for the rule, that you corrected within 30 days of discovering it. Tier 4 covers willful neglect that you did not correct within that window. The minimum per-violation penalty climbs sharply as you move up the tiers, while the maximum for a single violation and the annual cap sit at the same ceiling. That design is deliberate: it makes ignoring a known problem far more expensive than an honest, well-managed mistake.

The calculator above uses these tiers directly. When you select a tier, it applies that tier's real per-violation minimum and maximum and multiplies by the number of violations you enter. That is why moving a situation from Tier 4 down to Tier 1 changes the estimate so dramatically. The difference is rarely luck. It is almost always the presence or absence of the documentation that proves you took your obligations seriously.

Why a single breach becomes many violations

The most common misunderstanding about HIPAA penalties is that an incident equals one fine. It usually does not. The penalty amounts are per violation, and a violation is not the same thing as an event. The Office for Civil Rights has long taken the position that the number of violations can be counted in several ways: by the number of individuals whose information was affected, by the number of days a requirement went unmet, or by the number of separate instances of noncompliance. A breach that exposes ten thousand patient records can be treated as ten thousand violations of the same requirement, and an organization that failed to encrypt its laptops for two years can be treated as having violated the encryption-related standards every day in that window.

This is why the number-of-violations input matters so much in the calculator, and why the totals climb quickly. Enter a tier and a single violation and the figure looks manageable. Enter the same tier and the number of people affected by a realistic breach and the figure jumps into a range that can threaten the survival of a small organization. The math is not meant to frighten for its own sake. It is meant to show why the size of your patient or member population is itself a form of risk, and why the controls that limit how much data is exposed in any single incident, such as encryption and least-privilege access, pay for themselves many times over.

Because the count can be argued in more than one way, it helps to model a range rather than a single figure. Try the calculator with a conservative count, such as the number of records you are confident were exposed, and then again with a more aggressive count that an investigator might use, such as every record in the affected system or every day a control was missing. The gap between those two runs is the uncertainty you carry, and it is usually large. Narrowing it is not about better estimating after the fact. It is about holding less data, segmenting it so a single failure cannot reach all of it, and keeping records of access so you can show precisely what was and was not exposed instead of conceding the worst case.

The annual cap, and how exposure stacks beyond it

Each tier carries an annual cap, which is the most that can be imposed for all violations of a single identical requirement within one calendar year. For 2026 that cap is $2,190,294. When the calculator detects that your per-violation total has reached the cap, it says so, because past that point adding more violations of the same requirement does not increase the estimate for that requirement and that year. That can make the cap sound like a ceiling on total exposure. It is not.

The cap applies per requirement, per year. A serious enforcement case rarely involves only one requirement. An organization that suffers a major breach is often found to have violated several distinct standards at once: it failed to conduct a risk analysis, it failed to implement access controls, it failed to encrypt, and it failed to train its workforce. Each of those is a separate requirement with its own annual cap, and violations that span more than one calendar year reset the cap each year. That is how real resolutions reach figures far above a single cap even though each individual requirement is capped. The lesson is that breadth of noncompliance, not just the size of one breach, drives total exposure.

What the statutory range is, and what it is not

It is important to read the calculator's output for what it is: the statutory range, the span the law allows. It is not a prediction of what you would actually pay. In the large majority of cases, the Office for Civil Rights resolves an investigation through a negotiated settlement, formally called a resolution agreement, rather than by imposing a civil money penalty at the statutory maximum. A resolution agreement typically pairs a monetary amount, which is usually well below the theoretical ceiling, with a corrective action plan that the organization must follow for a period of years under OCR monitoring.

That practical reality cuts both ways. The good news is that an honest organization that cooperates and remediates is unlikely to face the worst-case number the statute permits. The sobering news is that the corrective action plan itself is expensive and intrusive: it can require new policies, independent assessments, mandatory training, regular reporting, and years of oversight, on top of the breach notification costs, legal fees, and reputational damage that accompany any public enforcement action. The fine is often not even the largest line item. When you compare any of these outcomes against the cost of training and a documented compliance program, prevention wins by a wide margin every time.

Criminal penalties are a separate track

The penalties in this calculator are civil, but HIPAA also carries criminal penalties under 42 USC 1320d-6, prosecuted by the Department of Justice rather than the Office for Civil Rights. Criminal liability attaches when someone knowingly obtains or discloses protected health information in violation of the rules. The basic offense can bring a fine up to $50,000 and up to one year in prison. When the offense is committed under false pretenses, the exposure rises to $100,000 and up to five years. And when the information is taken with intent to sell it or to use it for commercial advantage, personal gain, or malicious harm, the penalty can reach $250,000 and up to ten years in prison.

These criminal cases are less common than civil enforcement, and they usually involve an individual who deliberately misused records, such as an employee snooping on a celebrity patient or selling data, rather than an organization with a compliance gap. They are a reminder that HIPAA is not only an organizational obligation. It reaches the individuals who handle protected health information, which is one more reason that workforce training, including a clear sanctions policy, protects both the organization and the people in it.

State attorneys general add another layer

Federal penalties are not the whole story either. The HITECH Act gave state attorneys general the power to bring civil actions for HIPAA violations on behalf of the residents of their state, and several have used it. On top of that, most states have their own medical privacy laws and data breach notification laws, many of which are stricter than HIPAA and carry their own penalties. A single incident can therefore trigger a federal OCR resolution, a state attorney general action, and liability under a separate state statute all at once. The calculator estimates only the federal civil penalties, so the real-world exposure for an organization operating in a strict-privacy state can be higher than the figure it shows.

The violations that actually draw penalties

Across years of enforcement, a relatively short list of failures shows up again and again. The single most cited problem is the absence of a current, thorough risk analysis, the foundational requirement of the Security Rule. Right behind it are missing or inadequate risk management, the failure to encrypt laptops and portable devices, a lack of access controls that let former employees or unauthorized staff reach records, impermissible disclosures of protected health information, missing business associate agreements with vendors, and the failure to give patients timely access to their own records, which has become its own enforcement initiative. Many of the largest settlements began as an ordinary lost laptop or a phishing email and grew because the investigation found these underlying gaps.

What ties the list together is that almost every item is preventable with routine, well-documented compliance work rather than expensive technology. A risk analysis is a process, not a product. Encryption is usually a configuration change. Access reviews and prompt offboarding are procedures. Business associate agreements are paperwork you put in place before a vendor touches data. Training is a scheduled rollout with a record attached. None of these is exotic, which is precisely why their absence weighs so heavily when OCR assesses culpability: they are the basic, expected safeguards, and not having them looks like neglect.

How training and documentation decide your tier

Here is the connection that turns this calculator from a scare tactic into a plan. The tier you land in is largely a function of what you can prove you did before the violation happened. An organization that conducted and documented a risk analysis, trained every workforce member who handles PHI and kept dated records of it, maintained written policies, and acted promptly when it found a problem presents as a good-faith actor that did not know and could not reasonably have prevented a specific incident. That profile points toward Tier 1 or Tier 2 and supports the mitigating factors OCR is required to weigh. An organization with none of that documentation presents as one that consciously disregarded its obligations, which points toward the willful-neglect tiers where the minimum penalties alone are an order of magnitude higher.

Training sits at the center of this picture for three reasons. It is an explicit requirement of the rule, so its absence is itself a violation. It is the control that prevents the everyday human mistakes, the misdirected fax, the phishing click, the casual snooping, that cause a large share of breaches. And it is the cheapest, fastest piece of evidence you can produce to show good faith. A documented training program for your whole workforce can be in place in a single rollout, and the dated certificates it produces are exactly the kind of proof that helps keep a good-faith organization in the lowest tier. Set against any penalty range the calculator can produce, the cost of certifying a team is a rounding error.

Turning the estimate into action

Use the calculator as a decision aid, not a verdict. Run your own realistic numbers: choose the tier you think you would actually fall into today, enter the number of records you hold, and look at the range. Then ask whether you have the documentation that would move you down a tier and the controls that would shrink the number of records exposed in any single incident. If the honest answer is that your risk analysis is out of date, your training is informal, or your vendor agreements are incomplete, you have just found the highest-return work you can do this quarter. Score your current posture with the risk assessment tool, close the training gap with an accredited course, and re-run this estimate with the tier you would then qualify for. The drop in the number is the financial case for prevention, made in your own figures.