HIPAA Civil vs Criminal Penalties
HIPAA civil penalties (OCR) escalate by culpability tier and are capped per identical violation per year. Criminal penalties (DOJ) apply to knowing disclosure, with prison terms up to 10 years.
Last reviewed May 24, 2026
Side by side
Civil Penalties
Civil monetary penalties imposed by HHS OCR for violations of HIPAA. Four tiers based on the violator's culpability, with annual caps per identical violation.
45 CFR Part 160 Subpart D- Enforced by HHS OCR under 45 CFR Part 160 Subpart D.
- Tier 1 (lack of knowledge) → Tier 4 (willful neglect, not corrected).
- Annual cap per identical violation; HHS may also reach settlement (Resolution Agreement + Corrective Action Plan).
Criminal Penalties
Criminal prosecution under 42 USC 1320d-6 for knowingly obtaining or disclosing individually identifiable health information in violation of HIPAA.
42 USC 1320d-6- Enforced by DOJ.
- Tier 1: knowingly — up to $50,000 + 1 year.
- Tier 2: under false pretenses — up to $100,000 + 5 years.
- Tier 3: with intent to sell, transfer, use for commercial advantage, personal gain, malicious harm — up to $250,000 + 10 years.
When to use Civil Penalties
- Evaluating exposure for compliance gaps — late breach notification, missing BAAs, insufficient safeguards.
When to use Criminal Penalties
- Evaluating exposure when an employee knowingly accessed a record outside their role (snooping, selling celebrity records, etc.).
Common mistakes
- Treating civil penalties as the only exposure — knowing employee misconduct also creates criminal exposure.
- Assuming intent is required for civil penalties (it is not — tier 1 applies even without knowledge).
- Ignoring the corrective action component of OCR enforcement — settlements typically include a multi-year CAP.
Sources
- HHS OCR — Enforcement Processhttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html
- 45 CFR Part 160 Subpart D (Civil)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D
- 42 USC 1320d-6 (Criminal)https://www.govinfo.gov/content/pkg/USCODE-2022-title42/html/USCODE-2022-title42-chap7-subchapXI-partC-sec1320d-6.htm
Related
Map exposure in the SRA readiness check
Open sra studio →D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.