HHS updates HIPAA penalty amounts to reflect inflation adjustment

The Office for Civil Rights has applied a delayed inflation increase to civil penalties for HIPAA violations.

What happened

The Department of Health and Human Services Office for Civil Rights has increased civil monetary penalties for HIPAA violations, effective January 28, 2026, following publication of the updated amounts in the Federal Register. The adjustment aligns with the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, which requires annual updates to preserve the deterrent effect of enforcement actions. Although the adjustment was due in January 2025, OCR applied the increase more than a year later, making the new penalty amounts effective immediately upon publication.

Going deeper

HIPAA penalties are structured across four tiers, based on an organization’s level of knowledge and corrective action. While the statutory framework allows for major per-violation penalties and annual caps, OCR continues to operate under its 2019 Notice of Enforcement Discretion, which reduced maximum penalties for three of the four tiers. That means that although higher penalty ceilings now exist on paper, OCR has limited its own enforcement authority unless the notice is withdrawn through formal rulemaking. The inflation adjustment also clarified that violations occurring before November 2, 2015, or penalties assessed before September 6, 2016, remain subject to earlier penalty schedules.

What was said

In the Federal Register notice published January 28, 2026, the HHS Office for Civil Rights explained the statutory basis for the update, noting that the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 “is intended to improve the effectiveness of CMPs and to maintain the deterrent effect of such penalties” and “requires agencies to adjust the CMPs for inflation annually.” The notice also described the action’s scope, saying HHS “is updating its regulations to reflect required annual inflation-related increases to the civil monetary penalty (CMP) amounts,” and clarified that the adjusted amounts “apply to penalties assessed on or after the date of publication … if the violation occurred on or after November 2, 2015.”

In the know

HIPAA penalties rarely make headlines, but enforcement has remained consistent. In 2024, the HHS Office for Civil Rights reported that since the Privacy Rule took effect, it had received more than 371,000 HIPAA complaints and opened over 1,100 compliance reviews. Most cases were resolved without financial penalties, but more than 31,000 investigations led to required changes in privacy and security practices, and total civil penalties and settlements reached nearly $144 million. While OCR continues to rely primarily on corrective action rather than maximum fines, inflation-adjusted penalty amounts could increase potential exposure if the enforcement posture shifts.

The big picture

The inflation adjustment comes at a time when HIPAA enforcement has been steady, not symbolic. Research published in Perspectives in Health Information Management warned that “the threat of HIPAA enforcement exists for healthcare organizations both large and small and should not be taken lightly,” noting that OCR continued to announce resolution agreements and corrective actions even during the pandemic. That history matters. OCR’s 2024 enforcement data shows most cases are still resolved through required changes rather than headline fines, but penalties remain very real when organizations fail to address recurring gaps. The updated penalty amounts do not change how HIPAA is enforced day to day, but they raise the financial consequences if enforcement discretion tightens or corrective action is delayed.

FAQs

Do the new penalty amounts apply retroactively?

No. The updated amounts apply only to penalties assessed after the effective date of publication and do not retroactively affect closed cases.

Does the inflation increase mean that higher fines will be imposed immediately?

Not necessarily. OCR continues to apply its enforcement discretion guidance, which limits maximum penalties in most cases.

Can OCR remove its 2019 enforcement discretion policy?

Yes. OCR can rescind the notice at any time, although doing so would likely involve public notice and legal scrutiny.

How do Part 2 regulation penalties differ from HIPAA penalties?

Part 2 penalties follow a similar tier structure but start from lower statutory amounts, resulting in lower financial exposure despite the sensitivity of substance use disorder data.

What should covered entities do in response to the update?

Organizations should review compliance programs, documentation practices, and breach response procedures, as inflation-adjusted penalties increase potential exposure if enforcement discretion changes.