Compliance

HIPAA Penalties in 2026: What Changed and What's Getting Enforced

Luma Team
Luma Team
|
Cover Image for HIPAA Penalties in 2026: What Changed and What's Getting Enforced

OCR Is Done Being Patient

The Office for Civil Rights has been signaling for two years that it was shifting from a guidance-and-education posture to an enforcement posture. In 2026, that shift is visible in the numbers. Investigations are moving faster, resolution agreements are larger, and the categories of violations drawing the most attention have changed.

If you're a healthcare provider or health system, the compliance landscape you learned a few years ago is not the one you're operating in today.

The Four-Tier Penalty Structure

HIPAA's civil money penalties are organized into four tiers based on culpability. The tiers haven't changed structurally, but annual inflationary adjustments push the maximums up each year — and OCR has become more aggressive about which tier it assigns to a given violation.

Here's where the tiers stand in 2026:

  • Tier 1 — Did Not Know: $100 to $50,000 per violation, up to $25,000 annual cap for identical violations. This applies when the covered entity didn't know and couldn't reasonably have known about the violation.
  • Tier 2 — Reasonable Cause: $1,000 to $50,000 per violation, up to $100,000 annual cap. The covered entity had reason to know but the violation wasn't due to willful neglect.
  • Tier 3 — Willful Neglect, Corrected: $10,000 to $50,000 per violation, up to $250,000 annual cap. Willful neglect means conscious, intentional failure to comply — but the problem was fixed.
  • Tier 4 — Willful Neglect, Not Corrected: $50,000 per violation, up to $1.9 million annual cap. This is where organizations face the largest exposures.

OCR has been using Tier 3 and 4 classifications more frequently. A practice that deploys a tool touching PHI without doing a risk assessment used to be treated as Tier 1 or 2 by default. Increasingly, it's getting categorized as willful neglect — especially if the organization had prior compliance guidance or if OCR finds evidence the issue was flagged internally.

What OCR Is Actually Investigating in 2026

Three violation categories are dominating OCR's enforcement docket right now.

Ransomware Response Failures

Ransomware incidents are investigated as potential HIPAA breaches. The logic: if malicious actors accessed encrypted systems, OCR presumes PHI was accessed until the covered entity proves otherwise. That presumption is hard to rebut without solid audit logging and access controls.

The enforcement pattern in recent years has been to look past the ransomware event itself and find underlying security gaps — missing risk assessments, inadequate access controls, no audit logs. HHS has been explicit that ransomware attacks are the leading driver of large-scale PHI breaches, and OCR investigations follow the money: large incidents get full investigations.

Right of Access Violations

The HIPAA Right of Access — patients' right to get copies of their medical records within 30 days — has been OCR's highest-volume enforcement category since 2019. The initiative has generated over $30 million in settlements. It hasn't slowed down.

Common violations: charging excessive fees for record copies, ignoring requests entirely, delivering records in unusable formats, or requiring patients to use proprietary portals that create access barriers. OCR's enforcement database shows dozens of these settlements per year, including solo practices and small group practices — not just large health systems.

Risk Assessment Gaps

This is the big one for 2026 specifically. OCR audits increasingly start with one question: can you show us your risk assessment? The requirement under 45 CFR 164.308(a)(1) has existed since 2005. But enforcement of it has intensified sharply, particularly in cases involving AI tool adoption.

The reasoning: deploying new technology that handles PHI without first assessing the risks is exactly the kind of organizational failure OCR considers willful neglect when the organization had the resources and knowledge to comply.

AI Adoption Creates New Compliance Surface Area

Here's the enforcement dynamic that's new in 2026: AI tools are everywhere in healthcare now, and most of them were deployed without proper HIPAA review.

Clinical AI tools, documentation assistants, ambient scribes, coding tools — many of these ingested or processed PHI from the moment they were turned on. Vendors pitched them as productivity tools. Compliance teams didn't always get a seat at the table. Risk assessments weren't updated to reflect the new data flows.

OCR is now explicitly treating failure to include AI tools in security risk assessments as a compliance gap. The agency has published guidance stating that organizations must assess new technology deployments as part of their ongoing risk management obligations. That's not new law — it's the existing risk assessment requirement applied to new facts.

The practical implication: if you deployed an AI documentation tool in 2024 or 2025 without updating your risk assessment, you have a documented gap. If OCR investigates you for any reason, that gap becomes part of the picture.

The Penalty Math Is Getting Worse

Penalties are per violation, not per incident. A single ransomware event that exposed 10,000 patient records could technically be characterized as 10,000 separate violations of the security rule. OCR doesn't always go that route, but it has the latitude to.

In practice, OCR tends to settle on resolution agreements rather than push for maximum statutory penalties. But the settlement amounts have increased. The average resolution agreement involving a security incident now runs $500,000 to $2 million for mid-sized organizations. Large health systems have seen $5 million to $16 million settlements.

That's before state attorneys general get involved. Several states now have parallel enforcement authority over HIPAA violations, and they've been using it.

What Actually Reduces Your Risk

The good news is that most of what OCR looks for in enforcement cases is documented evidence of reasonable compliance effort. Organizations that get hit with large penalties typically share a common profile: no current risk assessment, no documented security policies, no audit logs, and no evidence of active compliance management.

Three things have the most impact on enforcement outcomes:

First, a current risk assessment. "Current" means updated when you add new systems, change workflows, or experience a significant organizational change. An assessment from 2021 doesn't cover your 2024 AI tools. OCR will notice.

Second, documented responses to identified risks. Finding a risk and doing nothing about it is almost worse than not finding it. Your risk assessment should feed a remediation plan, and that plan should have completion dates and responsible parties.

Third, vendor management. Every Business Associate that handles PHI on your behalf needs a valid BAA. Many organizations have vendor relationships that predate their current compliance program and were never formalized. OCR finds these.

The Safer Architecture: Start With Less PHI

One underrated risk-reduction strategy is designing workflows that minimize PHI exposure in the first place. The smallest compliance risk comes from PHI that was never shared with a vendor — because de-identified data isn't PHI at all.

This is the logic behind how Luma approaches prior authorization documentation. By applying Safe Harbor de-identification before any data reaches the AI layer, there's no PHI in the system, no Business Associate relationship, and no new compliance surface area to assess. The risk assessment picture is simpler because the data scope is narrower.

It's not the right architecture for every use case. But for documentation workflows — where the clinical data you need and the identifying data HIPAA protects are largely separable — it's worth considering before negotiating your next BAA or updating your next risk assessment.

The Bottom Line

OCR enforcement in 2026 is more aggressive, better resourced, and more focused on AI-related compliance gaps than any prior period. The penalty structure creates meaningful financial risk even for small organizations. And the pattern of violations drawing the most scrutiny — ransomware response, right of access, and risk assessment gaps — all share a common thread: they're failures of organizational process, not just technical failures.

The organizations that come through audits and investigations intact aren't the ones with perfect security. They're the ones with documented, current, and actively maintained compliance programs. That's the standard OCR is measuring against.

Sources:
HHS OCR — Resolution Agreements and Civil Money Penalties
HHS OCR — HIPAA Audit Program
HHS — Cybersecurity Newsletter: Ransomware and HIPAA
45 CFR 164.308 — Administrative Safeguards
HHS — HIPAA Security Rule Guidance Materials

Want to learn more about Luma?