Audits and Enforcement

HIPAA Settlements and Civil Money Penalties: A Small-Practice Reading List

5 min read · Last reviewed May 22, 2026

Where to read the primary record

Two HHS sources are the primary record:

Read the actual Resolution Agreement and Corrective Action Plan (CAP) rather than relying on third-party summaries. The CAP is the document that defines what the entity actually had to do — often two or three years of quarterly evidence submissions and an annual independent attestation.

The civil money penalty tier structure

The civil money penalty (CMP) tier structure is codified at 45 CFR 160.404(b)(2)(2)), with the underlying CMP authority at 42 USC 1320d-5. HITECH established the four-tier culpability scheme. The actual dollar amounts are republished each year in HHS's inflation adjustment, generally codified at 45 CFR Part 102 and announced in the Federal Register. The four tiers, by culpability level:

  • Tier 1 — the entity did not know and, by exercising reasonable diligence, would not have known of the violation
  • Tier 2 — reasonable cause and not willful neglect
  • Tier 3 — willful neglect, corrected within 30 days
  • Tier 4 — willful neglect, not corrected

Each tier has its own per-violation minimum, per-violation maximum, and annual calendar-year cap on identical violations. The amounts move with the inflation adjustment, so practices should reference the most recent Federal Register adjustment notice for current figures rather than memorize numbers that drift. The general pattern is that Tier 1 carries the smallest per-violation floor and Tier 4 the largest, with multi-thousand-dollar to mid-six-figure per-violation ranges and per-tier annual caps.

Resolution agreements vs civil money penalties

OCR pursues two enforcement paths. Most resolved cases are Resolution Agreements with a voluntary monetary settlement and a Corrective Action Plan. CMPs are imposed when OCR formally adjudicates a violation; they are less frequent and usually involve entities that did not cooperate. Both outcomes appear on the Enforcement Highlights page. The published dollar figures across both paths range from low five figures for single-incident Right of Access cases up to multi-million-dollar settlements for large breaches with willful-neglect findings.

What recent small-practice settlements look like

Rather than cite specific dollar amounts that can drift, this section describes the patterns OCR has surfaced through small-practice Resolution Agreements:

  • Right of Access timeliness: dozens of settlements through the Right of Access Initiative tied to failure to provide records within 30 days of a written request under 164.524. Many of these are five-figure settlements at small practices.
  • No current written risk analysis: a recurring core finding across small-provider Resolution Agreements, often paired with a Corrective Action Plan that requires the entity to conduct an enterprise-wide risk analysis and submit it to OCR within a fixed window.
  • No encryption decisions documented: practices that experienced laptop or device loss without documented encryption decisions under 164.312(a)(2)(iv)(2)(iv)) face higher exposure.
  • Late breach notification: notice past 60 days from discovery under 164.404.
  • Lack of training records: training was conducted but not documented in a way that survives the six-year retention requirement at 164.530(j)).

What a corrective action plan actually requires

A typical small-practice CAP runs two to three years and includes:

  • Conduct a written, enterprise-wide risk analysis
  • Implement a risk management plan addressing the findings
  • Revise and adopt policies and procedures consistent with the Security and Privacy Rules
  • Conduct workforce training on the revised policies
  • Submit an Implementation Report and annual reports to OCR
  • Engage an independent monitor or assessor in some cases
  • Notify OCR of any breach or change of ownership during the CAP term

Reading two or three CAPs gives a practice a realistic sense of the operational burden of resolving an OCR matter — often heavier than the headline settlement amount.

What the State Attorney General path looks like

Section 13410(e) of HITECH — reflected in 42 USC 1320d-5(d) — authorizes state attorneys general to bring civil actions in federal district court to enforce HIPAA on behalf of state residents. HHS describes this authority on its State Attorneys General page. Several states have used it, sometimes with their own state-law data-protection theories layered on top. State AG actions are less centralized than OCR's, so a practice should monitor its own state AG's published enforcement actions in addition to the federal record.

Reading the record without panic

The published settlements are useful for two purposes:

  1. To identify the recurring gaps OCR finds — these are the gaps to close in the practice's own binder.
  2. To anchor the practice's expectations about CAP scope and duration.

The dollar figures matter less than the patterns. A practice that already maintains a current risk analysis, documented encryption decisions, training records, and a BAA log has substantially reduced its exposure to the most common findings.

Restraint about claims

No vendor or guide can promise the absence of a HIPAA settlement. The published enforcement record is a learning instrument, not a scoring instrument. OCR weighs the totality of evidence in each case.

How D3rx fits

D3rx SRA Binder Studio organizes the documentation OCR repeatedly asks for — risk analysis, risk management, encryption decisions, training records, BAA log, breach log. Every section links to the underlying HHS, OCR, eCFR, or NIST source. It is a point-in-time administrative documentation aid; the practice remains responsible for the substance and for engaging counsel during any actual OCR engagement.

Next steps

See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.

Where do you stand on your SRA today?

Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. Enforcement Highlights and Settlement Agreements pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
  2. Right of Access Initiative trackerhttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raj-medical-clinic/index.html
  3. press release loghttps://www.hhs.gov/hipaa/newsroom/index.html
  4. 45 CFR 160.404(b)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404#p-160.404(b
  5. 42 USC 1320d-5https://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title42-section1320d-5
  6. 45 CFR Part 102https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-A/part-102
  7. Federal Register adjustment noticehttps://www.federalregister.gov/
  8. 164.524https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
  9. 164.312(a)(2)(iv)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312#p-164.312(a
  10. 164.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
  11. 164.530(j)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(j
  12. State Attorneys General pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/state-attorneys-general/index.html

Sources verified as of May 22, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides