Compliance
Apr 23, 2026
15 min read

Common HIPAA Violations and How to Prevent Them

Kevin Barona
Table of content
H2
H3
share

What are the most common HIPAA violations? They include failing to conduct a risk analysis, unauthorized access to patient records, lack of encryption, insufficient employee training, and missing Business Associate Agreements. The pattern across nearly all of them is the same: they're preventable.

That matters because the consequences are not. The Office for Civil Rights (OCR), the agency responsible for enforcing HIPAA, has settled or imposed penalties in over 150 cases to date, totaling nearly $145 million in fines. Enforcement actions hit 21 settlements and civil monetary penalties in 2025 alone, making it one of the busiest years on record.

This guide covers the 10 violations that trigger the most enforcement activity, what the penalties look like, and exactly what you can do to prevent each one.

How HIPAA Violations Are Enforced

Before diving into specific violations, it helps to understand what happens when something goes wrong. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is the primary enforcement body for HIPAA. OCR investigates complaints, reviews breach reports, and conducts compliance audits.

When OCR finds a violation, it typically tries to resolve the issue through voluntary compliance, technical guidance, or a corrective action plan. If the organization doesn't cooperate or the violation is severe, OCR imposes civil money penalties.

Those penalties follow a four-tier structure based on the level of intent:

  • Tier 1 (Unknowing): The organization didn't know it was violating HIPAA and couldn't have reasonably known. Fines range from $100 to $50,000 per violation, with an annual cap of $25,000 for repeat violations.
  • Tier 2 (Reasonable cause): The organization should have known about the violation but didn't act with willful neglect. Fines range from $1,000 to $50,000 per violation, with an annual cap of $100,000.
  • Tier 3 (Willful neglect, corrected): The organization knowingly neglected HIPAA requirements but corrected the issue within 30 days. Fines range from $10,000 to $50,000 per violation, with an annual cap of $250,000.
  • Tier 4 (Willful neglect, not corrected): The organization knowingly neglected HIPAA and failed to correct the problem. Fines start at $50,000 per violation, with an annual cap of $1.5 million.

Beyond civil penalties, criminal violations are handled by the Department of Justice. Knowingly obtaining or disclosing Protected Health Information (PHI) can result in fines up to $50,000 and one year in prison. If the offense involves false pretenses, that increases to $100,000 and five years. If PHI is obtained for commercial advantage, personal gain, or malicious harm, penalties reach $250,000 and up to 10 years in prison.

10 Most Common HIPAA Violations

Most HIPAA violations don't come from malicious intent. They come from gaps in processes, training, and technical safeguards that could have been addressed with proper planning. Here are the 10 violations that OCR encounters most frequently, along with practical steps to prevent each one.

Someone writing down their medical information

1. Failing to Conduct a Risk Analysis

This is the single most commonly identified violation in OCR investigations and audits. It's also the focus of a specific enforcement initiative that OCR launched in recent years, targeting organizations that have never completed a risk analysis or haven't updated theirs in years.

HIPAA's Security Rule requires every covered entity and business associate to conduct a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI). Many organizations skip this step entirely or treat it as a checkbox exercise rather than a meaningful evaluation.

How to prevent it: Conduct a comprehensive, documented risk analysis at least annually. Update it whenever you make significant changes to your systems, infrastructure, or operations. Make sure the assessment covers all systems that create, receive, maintain, or transmit ePHI.

2. Unauthorized Access to Patient Records

This violation occurs when employees access patient records without a legitimate business reason. Common scenarios include staff looking up records for friends, family members, or public figures out of curiosity. It also includes situations where employees access records outside their job responsibilities.

One well-known case involved a hospital employee who stole patient PHI over six months and sold it to an identity theft ring. The hospital didn't detect the activity until law enforcement notified them two years later.

How to prevent it: Implement role-based access controls (RBAC) so employees can only access the records they need for their specific job function. Audit access logs regularly and investigate any unusual access patterns. Make it clear in your policies that unauthorized access is a terminable offense.

3. Lack of Encryption for ePHI

Failing to encrypt ePHI at rest and in transit remains one of the most common breach vectors. Stolen laptops, lost USB drives, and unencrypted email transmissions have been at the center of some of the largest HIPAA enforcement actions.

In one case, a children's medical center faced penalties after a stolen, unencrypted Blackberry device exposed the records of nearly 4,000 patients. The device had no password protection and no encryption.

How to prevent it: Encrypt all devices and systems that store or transmit ePHI. This includes laptops, desktops, mobile devices, portable storage media, and email. Encryption is considered an "addressable" safeguard under the Security Rule, but if you choose not to implement it, you must document why and implement an equivalent alternative. In practice, there is rarely a good reason not to encrypt.

4. Insufficient Employee Training

Human error is behind a significant portion of HIPAA breaches. Staff members who haven't been properly trained are more likely to fall for phishing attacks, mishandle PHI, send records to the wrong recipient, or discuss patient information in public settings.

HIPAA requires that all workforce members receive training on the organization's privacy and security policies. Yet many organizations treat training as a one-time onboarding task rather than an ongoing program.

How to prevent it: Implement mandatory, role-specific HIPAA training for all employees. Run annual refresher courses. Conduct phishing simulation exercises to test awareness. Document all training completions and keep records as evidence of compliance.

5. Improper Disposal of PHI

PHI that isn't disposed of properly can be accessed by unauthorized individuals. This applies to both paper records and electronic media. Tossing patient files in a regular trash bin, leaving old hard drives in storage without wiping them, or recycling printed records without shredding them are all violations.

How to prevent it: Shred all paper records containing PHI before disposal. Use certified data destruction services for electronic media, including hard drives, backup tapes, and USB devices. Establish a written media disposal policy and train staff to follow it.

6. Missing Business Associate Agreements

A Business Associate Agreement (BAA) is a contract required by HIPAA between a covered entity and any vendor, contractor, or partner who will access PHI on their behalf. If you share PHI with a vendor and don't have a compliant BAA in place, that disclosure is a HIPAA violation regardless of whether the vendor mishandles the data or not.

This violation is more common than many organizations realize. It often surfaces during breach investigations when OCR discovers that the organization was sharing data with vendors who had no formal agreement in place.

How to prevent it: Inventory every vendor, contractor, and service provider that creates, receives, maintains, or transmits PHI on your behalf. Execute a HIPAA-compliant BAA with each one before sharing any data. Review BAAs annually and update them when the relationship or scope of services changes.

7. Denying Patient Access to Records

HIPAA gives patients the right to access their medical records. The organization must respond to access requests within 30 days (with a possible 30-day extension in certain circumstances). OCR takes this seriously. In 2019, they launched a specific enforcement initiative targeting right-of-access violations, which has resulted in more than 50 financial penalties to date.

How to prevent it: Establish a documented process for receiving and fulfilling patient access requests. Assign responsibility for handling requests to a specific person or team. Track every request and its status to ensure you meet the 30-day deadline. Train front-desk and administrative staff to recognize access requests when they come in.

8. Unauthorized Disclosure of PHI

This covers any situation where PHI is shared with someone who isn't authorized to receive it. Common examples include sharing patient information with marketing companies without consent, discussing patient details in public areas where others can overhear, posting photos on social media that include identifiable patient information, or sending PHI to a personal email account to finish work at home.

How to prevent it: Establish clear policies defining what constitutes authorized and unauthorized disclosure. Train all staff on the minimum necessary standard, which requires that only the minimum amount of PHI needed for a specific purpose is disclosed. Review and approve any use of PHI for marketing, research, or other non-treatment purposes before it happens.

9. Failure to Issue Timely Breach Notifications

When a breach of unsecured PHI occurs, HIPAA's Breach Notification Rule requires the organization to notify affected individuals within 60 days of discovering the breach. If the breach affects 500 or more individuals, the organization must also notify OCR and prominent media outlets. Delays beyond the 60-day window are themselves violations.

Some organizations delay notifications hoping to resolve the issue quietly. Others simply don't have a breach response process in place and lose critical time figuring out what to do.

How to prevent it: Build a documented incident response and breach notification plan before you need it. Define clear roles and responsibilities. Establish a process for determining whether a breach has occurred, assessing its scope, and issuing notifications within the required timeframe. Test the plan at least annually with tabletop exercises.

10. Insufficient Physical and Technical Safeguards

This is a broad category that covers failures in basic security hygiene. Examples include leaving workstations unlocked and unattended in areas where patients or visitors can see the screen, storing paper records in unsecured locations, failing to implement multi-factor authentication (MFA) on systems that access ePHI, and not maintaining audit logs of system activity.

How to prevent it: Enforce automatic screen lock policies on all workstations. Secure physical access to server rooms, file storage areas, and anywhere PHI is kept. Implement MFA on all systems that access ePHI. Maintain and regularly review audit logs to detect unauthorized activity.

How to Build a HIPAA Compliance Program That Prevents Violations

Addressing individual violations is important. But the most effective approach is to build a compliance program that prevents them systematically. Organizations that treat HIPAA as an ongoing program rather than a reactive exercise consistently perform better in audits and breach investigations.

A strong HIPAA compliance program is built on five foundational elements:

  • Risk analysis. Conduct a comprehensive assessment of all risks to the confidentiality, integrity, and availability of ePHI. Update it at least annually and after any significant changes to your environment.
  • Safeguards. Implement administrative, physical, and technical safeguards based on the risks identified in your assessment. This includes policies, access controls, encryption, and physical security measures.
  • Training. Train all workforce members on your HIPAA policies and procedures. Make training role-specific, mandatory, and recurring.
  • Business Associate management. Identify every vendor and partner that touches PHI. Execute compliant BAAs with each one and review them regularly.
  • Incident response. Build and test a breach response plan that covers detection, investigation, notification, and remediation. Know what to do before something goes wrong.

Many of these requirements overlap with frameworks like ISO 27001 and SOC 2. Organizations that invest in a structured compliance program often find they've already addressed a significant portion of what other standards require.

Someone signing a medical document

The Real Cost of Getting HIPAA Wrong

The financial penalties alone are enough to justify investing in compliance. OCR has imposed nearly $145 million in fines across 152 enforcement actions to date. Individual settlements have reached into the millions, and fines of $100,000 to $500,000 are common even for mid-size organizations.

But the costs extend far beyond fines. When OCR finds a violation, the organization is typically required to implement a corrective action plan. These plans last one to three years and involve ongoing monitoring, reporting, and oversight by OCR. That's years of additional administrative burden on top of whatever caused the violation in the first place.

Then there's the reputational damage. Breaches affecting 500 or more individuals are posted on OCR's public breach portal, sometimes called the "Wall of Shame." Your organization's name, the type of breach, and the number of individuals affected become public record. For healthcare providers and health tech companies, that kind of visibility can erode patient trust and damage business relationships.

The cost of building and maintaining a HIPAA compliance program is a fraction of what a single enforcement action can cost. Prevention isn't just the right thing to do. It's the financially rational thing to do.

Protecting Your Organization Starts With the Right Foundation

Most HIPAA violations share a common root cause: the organization didn't have the right policies, training, or technical controls in place before something went wrong. The violations themselves are rarely surprising. The consequences, however, can be devastating.

The good news is that every violation covered in this guide is preventable. A documented risk analysis, strong access controls, encryption, employee training, and a tested breach response plan will address the vast majority of risks that lead to enforcement actions.

If you're looking to strengthen your HIPAA compliance posture or build a program from the ground up, get in touch for HIPAA compliance services and we'll help you put the right foundation in place.

Related Articles

ISO 27001
SOC 2
ISO 27001 vs SOC 2: Which Do You Need?
ISO 27001
How much does ISO 27001 Certification cost?
ISO 27001
ISO 27001 Certification Explained: Step by Step
SOC 2
SOC 2 Requirements: What Your Business Actually Needs
SOC 2
SOC 2 Type 1 vs Type 2: What’s the Difference and Which Do You Need?
No items found.
The Life Sciences Compliance Roadmap: What You Need, When You Need It, and In What Order
Weekly tips and insights on building trust.
Join leaders in building a secure, trusted brand—receive expert guidance to outpace competitors and win customers.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By signing up, you agree to our Terms and Conditions.
Are you ready to get started?
Schedule a call to see how we can help you build trust
Contact us