Penalties under HIPAA have been updated several times since HIPAA was first written. The most recent updates were rolled out as a part of the HIPAA Omnibus rule in 2013.
HIPAA violations fall under the purview of the Office for Civil Rights (OCR) under Health and Human Services (OCR). HIPAA violations are issued for violating, or not adhering to, HIPAA rules. Violations do not necessarily require a security incident or data breach to be issued. In fact, violations can be reported freely on this HHS website - https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf.
Penalties for HIPAA violations are most frequently civil in nature though individual criminal punishment, while exceedingly rare, is possible. For both civil and criminal penalties, their are tiered penalties, outlined below.
HIPAA violations and penalties result from not complying with HIPAA and do not require a breach to be issued.