HIPAA Settlements and Civil Money Penalties: A Small-Practice Reading List
5 min read · Last reviewed May 22, 2026
Where to read the primary record
Two HHS sources are the primary record:
- The OCR Enforcement Highlights and Settlement Agreements page lists every published Resolution Agreement with the underlying press release.
- The OCR Right of Access Initiative tracker and the broader press release log list smaller-dollar settlements with corrective action plans.
Read the actual Resolution Agreement and Corrective Action Plan (CAP) rather than relying on third-party summaries. The CAP is the document that defines what the entity actually had to do — often two or three years of quarterly evidence submissions and an annual independent attestation.
The civil money penalty tier structure
The civil money penalty (CMP) tier structure is codified at 45 CFR 160.404(b)(2)(2)), with the underlying CMP authority at 42 USC 1320d-5. HITECH established the four-tier culpability scheme. The actual dollar amounts are republished each year in HHS's inflation adjustment, generally codified at 45 CFR Part 102 and announced in the Federal Register. The four tiers, by culpability level:
- Tier 1 — the entity did not know and, by exercising reasonable diligence, would not have known of the violation
- Tier 2 — reasonable cause and not willful neglect
- Tier 3 — willful neglect, corrected within 30 days
- Tier 4 — willful neglect, not corrected
Each tier has its own per-violation minimum, per-violation maximum, and annual calendar-year cap on identical violations. The amounts move with the inflation adjustment, so practices should reference the most recent Federal Register adjustment notice for current figures rather than memorize numbers that drift. The general pattern is that Tier 1 carries the smallest per-violation floor and Tier 4 the largest, with multi-thousand-dollar to mid-six-figure per-violation ranges and per-tier annual caps.
Resolution agreements vs civil money penalties
OCR pursues two enforcement paths. Most resolved cases are Resolution Agreements with a voluntary monetary settlement and a Corrective Action Plan. CMPs are imposed when OCR formally adjudicates a violation; they are less frequent and usually involve entities that did not cooperate. Both outcomes appear on the Enforcement Highlights page. The published dollar figures across both paths range from low five figures for single-incident Right of Access cases up to multi-million-dollar settlements for large breaches with willful-neglect findings.
What recent small-practice settlements look like
Rather than cite specific dollar amounts that can drift, this section describes the patterns OCR has surfaced through small-practice Resolution Agreements:
- Right of Access timeliness: dozens of settlements through the Right of Access Initiative tied to failure to provide records within 30 days of a written request under 164.524. Many of these are five-figure settlements at small practices.
- No current written risk analysis: a recurring core finding across small-provider Resolution Agreements, often paired with a Corrective Action Plan that requires the entity to conduct an enterprise-wide risk analysis and submit it to OCR within a fixed window.
- No encryption decisions documented: practices that experienced laptop or device loss without documented encryption decisions under 164.312(a)(2)(iv)(2)(iv)) face higher exposure.
- Late breach notification: notice past 60 days from discovery under 164.404.
- Lack of training records: training was conducted but not documented in a way that survives the six-year retention requirement at 164.530(j)).
What a corrective action plan actually requires
A typical small-practice CAP runs two to three years and includes:
- Conduct a written, enterprise-wide risk analysis
- Implement a risk management plan addressing the findings
- Revise and adopt policies and procedures consistent with the Security and Privacy Rules
- Conduct workforce training on the revised policies
- Submit an Implementation Report and annual reports to OCR
- Engage an independent monitor or assessor in some cases
- Notify OCR of any breach or change of ownership during the CAP term
Reading two or three CAPs gives a practice a realistic sense of the operational burden of resolving an OCR matter — often heavier than the headline settlement amount.
What the State Attorney General path looks like
Section 13410(e) of HITECH — reflected in 42 USC 1320d-5(d) — authorizes state attorneys general to bring civil actions in federal district court to enforce HIPAA on behalf of state residents. HHS describes this authority on its State Attorneys General page. Several states have used it, sometimes with their own state-law data-protection theories layered on top. State AG actions are less centralized than OCR's, so a practice should monitor its own state AG's published enforcement actions in addition to the federal record.
Reading the record without panic
The published settlements are useful for two purposes:
- To identify the recurring gaps OCR finds — these are the gaps to close in the practice's own binder.
- To anchor the practice's expectations about CAP scope and duration.
The dollar figures matter less than the patterns. A practice that already maintains a current risk analysis, documented encryption decisions, training records, and a BAA log has substantially reduced its exposure to the most common findings.
Restraint about claims
No vendor or guide can promise the absence of a HIPAA settlement. The published enforcement record is a learning instrument, not a scoring instrument. OCR weighs the totality of evidence in each case.
How D3rx fits
D3rx SRA Binder Studio organizes the documentation OCR repeatedly asks for — risk analysis, risk management, encryption decisions, training records, BAA log, breach log. Every section links to the underlying HHS, OCR, eCFR, or NIST source. It is a point-in-time administrative documentation aid; the practice remains responsible for the substance and for engaging counsel during any actual OCR engagement.
Next steps
See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.
Where do you stand on your SRA today?
Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- Enforcement Highlights and Settlement Agreements pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
- Right of Access Initiative trackerhttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raj-medical-clinic/index.html
- press release loghttps://www.hhs.gov/hipaa/newsroom/index.html
- 45 CFR 160.404(b)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404#p-160.404(b
- 42 USC 1320d-5https://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title42-section1320d-5
- 45 CFR Part 102https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-A/part-102
- Federal Register adjustment noticehttps://www.federalregister.gov/
- 164.524https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
- 164.312(a)(2)(iv)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312#p-164.312(a
- 164.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
- 164.530(j)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(j
- State Attorneys General pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/state-attorneys-general/index.html
Sources verified as of May 22, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
What to Do If You Get an OCR Audit Letter
5 min readAudits and EnforcementOCR Audit Protocol: What Small Practices Should Expect
5 min readAudits and EnforcementThe HIPAA Breach Notification Rule, Explained
6 min readAudits and EnforcementChange Healthcare Ransomware: What Small Practices Took Away
6 min readRelated across the archive
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- SRAWhat to Do If You Get an OCR Audit LetterA step-by-step response framework for a small practice that receives an OCR HIPAA audit or investigation letter, drawn from OCR's audit protocol and published Resolution Agreements.
- SRAOCR Audit Protocol: What Small Practices Should ExpectHow the HHS Office for Civil Rights HIPAA Audit Protocol is structured, what OCR has publicly announced about the audit program restart, and how a small practice prepares its binder against the protocol's audited elements.
- SRAChange Healthcare Ransomware: What Small Practices Took AwayThe February 2024 Change Healthcare cyberattack, what HHS and UnitedHealth Group disclosed, and the small-practice lessons about clearinghouse concentration risk, contingency planning, and the Security Rule's information system activity review.
- RegulationHIPAA Civil Money Penalty Tiers (45 CFR 160.404)The four-tier culpability and penalty structure for HIPAA civil money penalties, with statutory caps adjusted annually for inflation.
- RegulationHIPAA Criminal Enforcement (42 USC 1320d-6)Criminal sanctions for knowingly obtaining or disclosing PHI in violation of HIPAA, enforced by the Department of Justice rather than HHS, with three tiers escalating to ten years' imprisonment.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- GlossaryOCR Civil Monetary Penalties (HIPAA)HHS Office for Civil Rights' tiered CMP structure for HIPAA violations, with maximums adjusted annually for inflation.