Penalties for HIPAA Regulation Violations in 2026
In 2019, HIPAA had changes associated with enforcement action. OCR published a Notice of Enforcement Discretion following the reinterpretation of HITECH Act requirements involving penalties for HIPAA non-compliance. The HITECH Act required higher penalties for HIPAA Rules non-compliance. Back then, the HHS viewed the terms of the HITECH Act as necessitating a limit of $1.5 million for HIPAA violations throughout the four penalty tiers. In 2019, the HITECH Act requirements were re-evaluated and interpreted differently. Instead of having the same maximum penalties for all four tiers, the penalties were set at various minimum and maximum penalties (in consideration of inflation), as shown in the following table.
Tier 1 Lack of Knowledge – $141 to $35,581 penalty per violation; $35,581 annual penalty limit
Tier 2 Reasonable Cause – $1,424 to $71,162 penalty per violation; $142,355 annual penalty limit
Tier 3 Willful Neglect – $14,232 to $71,162 penalty per violation; $355,808 annual penalty limit
Tier 4 Willful neglect (not corrected within 30 days) – $71,162 to $2,134,831 penalty per violation; $2,134,831 annual penalty limit
This table shows the penalty amounts posted in the Federal Register on August 8, 2024, as well as the Enforcement Discretion Limits announced in April 2019. Given that the change was tackled via a Notice of Enforcement Discretion, it isn’t lawfully binding yet will stay effective indefinitely.
The Office of Management and Budget (OMB) fixed a 1.02598 inflation multiplier for 2025. The OMB needed to make an adjustment by January 15, 2025. Nevertheless, OCR is usually slow to put inflation increases and announce a higher value for the 2025 OMB multiplier. One more increase will be implemented by January 15, 2026, therefore it is currently probable that just one increase will be used in 2026.
Health Breach Notification Rule Updates
A lot of health data is already gathered, processed, and sent by organizations not subject to HIPAA. That suggests that the health data is not categorized as protected health information (PHI) and is consequently not subject to the HIPAA Regulations. Breaches of health data at HIPAA-covered entities need to follow the HIPAA Breach Notification Rule requirements. However, in case of a breach at a non-HIPAA-covered entity, it is governed by the Health Breach Notification Rule of the Federal Trade Commission’s (FTC).
The FTC published a final rule on April 26, 2024, replacing the Health Breach Notification Law with new and edited definitions to extend coverage, including health applications and other systems not subject to HIPAA law. For example, websites collecting medical information that are not managed by HIPAA-covered entities. The update likewise involved new specifications for the information in consumer notifications and the need to alert the FTC of breaches involving at least 500 records. The breach notification time frame is consistent with HIPAA, as notifications are necessary without unnecessary delay and issued no more than 60 days after the date when a breach is discovered.