OCR Civil Monetary Penalties (HIPAA)
HHS Office for Civil Rights' tiered CMP structure for HIPAA violations, with maximums adjusted annually for inflation.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- Compliance Program
- Primary sources
- 1
- Workspace handoff
- compliance binder →
Where this comes up
Compliance committees and practice managers operate at this level — written policy, workforce training, sanction policy, monitoring and auditing cadence, response and corrective action. The seven elements of an effective compliance program (OIG) are the scaffolding; this term lives somewhere on that scaffold.
Full definition
What it is in practice
HITECH Act established four tiers: Tier 1 (no knowledge), Tier 2 (reasonable cause), Tier 3 (willful neglect, corrected), Tier 4 (willful neglect, not corrected). Annual maximums are inflation-adjusted.
How it shows up in your practice
Most enforcement is settlement-driven (Resolution Agreements with Corrective Action Plans), not CMP. But the CMP tier structure frames every OCR negotiation.
Sources
- HHS OCR — Enforcement Highlightshttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html
Document OCR exposure in the Compliance Binder
Open compliance binder →Related terms
- Compliance ProgramCivil Monetary PenaltiesAdministrative penalties HHS-OIG may impose on healthcare providers for various violations including HIPAA breaches, kickbacks, and billing for excluded individuals.
- HIPAA & PrivacyOCR Right of Access InitiativeHHS Office for Civil Rights' enforcement focus on the patient right of access under 45 CFR 164.524.
- HIPAA & PrivacyHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryOCR Right of Access InitiativeHHS Office for Civil Rights' enforcement focus on the patient right of access under 45 CFR 164.524.
- GlossaryCivil Monetary PenaltiesAdministrative penalties HHS-OIG may impose on healthcare providers for various violations including HIPAA breaches, kickbacks, and billing for excluded individuals.
- GlossaryHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
- RegulationHITECH Act Overview (Pub. L. 111-5, Title XIII)Title XIII of the American Recovery and Reinvestment Act amended HIPAA in 2009 to add breach notification, direct business associate liability, increased penalties, and the Meaningful Use program.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.
- SRAHIPAA Settlements and Civil Money Penalties: A Small-Practice Reading ListHow HHS Office for Civil Rights publishes its enforcement record, the tiered civil money penalty structure at 45 CFR 160.404, and what recent small-practice settlements actually say.
- ComplianceAmbulatory Surgery Center Compliance: CMS + State + Infection Control42 CFR Part 416 Conditions for Coverage, CMS State Operations Manual Appendix L, the ASC Infection Control Surveyor Worksheet, and where state ASC licensure tightens the standard.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.