Comparison · Compliance

HIPAA Civil vs Criminal Penalties

HIPAA civil penalties (OCR) escalate by culpability tier and are capped per identical violation per year. Criminal penalties (DOJ) apply to knowing disclosure, with prison terms up to 10 years.

Last reviewed May 24, 2026

Side by side

Option A

Civil Penalties

Civil monetary penalties imposed by HHS OCR for violations of HIPAA. Four tiers based on the violator's culpability, with annual caps per identical violation.

45 CFR Part 160 Subpart D
  • Enforced by HHS OCR under 45 CFR Part 160 Subpart D.
  • Tier 1 (lack of knowledge) → Tier 4 (willful neglect, not corrected).
  • Annual cap per identical violation; HHS may also reach settlement (Resolution Agreement + Corrective Action Plan).
Option B

Criminal Penalties

Criminal prosecution under 42 USC 1320d-6 for knowingly obtaining or disclosing individually identifiable health information in violation of HIPAA.

42 USC 1320d-6
  • Enforced by DOJ.
  • Tier 1: knowingly — up to $50,000 + 1 year.
  • Tier 2: under false pretenses — up to $100,000 + 5 years.
  • Tier 3: with intent to sell, transfer, use for commercial advantage, personal gain, malicious harm — up to $250,000 + 10 years.
Enforced by
CivilHHS OCR
CriminalDOJ
Type of liability
CivilCivil monetary penalty + corrective action
CriminalCriminal — fines + imprisonment
Trigger
CivilViolation of any HIPAA standard (intent not required)
CriminalKnowing acquisition/disclosure of identifiable health information in violation of HIPAA
Both can apply
CivilYes — same conduct may face both
CriminalYes — civil and criminal proceedings are not mutually exclusive

When to use Civil Penalties

  • Evaluating exposure for compliance gaps — late breach notification, missing BAAs, insufficient safeguards.

When to use Criminal Penalties

  • Evaluating exposure when an employee knowingly accessed a record outside their role (snooping, selling celebrity records, etc.).

Common mistakes

  • Treating civil penalties as the only exposure — knowing employee misconduct also creates criminal exposure.
  • Assuming intent is required for civil penalties (it is not — tier 1 applies even without knowledge).
  • Ignoring the corrective action component of OCR enforcement — settlements typically include a multi-year CAP.

Sources

Take it into the workspace

Map exposure in the SRA readiness check

Open sra studio
Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.