10 HIPAA Violation Examples (& How to Avoid Them)

HIPAA violations aren’t as rare as you might think, and they certainly aren’t cheap. As of November 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has settled or imposed civil money penalties in 152 cases, totaling $144,878,972.

Behind the headlines are avoidable missteps: unsecured laptops, incomplete or non-existent risk assessments, and staff using protected health information (PHI) in Yelp replies. Each case offers a lesson, not just for healthcare organizations, but for any company handling PHI under HIPAA.

In this article, we break down the most common HIPAA violations, including real enforcement cases. You’ll see how violations happen, what they cost, and what you can do to prevent them.

New to HIPAA? We’ve created a HIPAA compliance checklist resource to help you kick off your compliance journey. 

Download HIPAA Compliance Checklist PDF

What is a HIPAA Violation?

A HIPAA violation occurs when a covered entity or business associate fails to comply with one or more provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This includes improper access, use, or disclosure of protected health information (PHI), as well as failures in safeguards, breach notification, and documentation.

Violations fall into two categories: civil and criminal.

Civil Penalties for HIPAA Violations

The Office for Civil Rights (OCR) issues civil penalties based on four tiers of severity:

• Tier 1: The organization was unaware of the violation and couldn’t have reasonably avoided it

• Tier 2: The organization should have been aware, but the violation wasn’t due to willful neglect

• Tier 3: Willful neglect occurred, but corrective action was taken

• Tier 4: Willful neglect with no attempt to correct the issue

As of 2024, fines range from $100 to $50,000 per violation, with annual caps reaching $1.5 million for Tier 4 violations.

Criminal Penalties for HIPAA Violations

The Department of Justice (DOJ) may pursue criminal charges in more severe cases. These typically involve knowingly obtaining or disclosing PHI under false pretenses or with intent to sell, transfer, or use it for personal gain or malicious harm.

Criminal penalties can include:

• Fines up to $250,000 per violation

• Prison sentences up to 10 years for offenses involving intent to sell or cause harm

While criminal cases are less common, they carry much higher personal liability, especially for employees acting outside the scope of their role or responsibilities.

Why HIPAA Violations Still Happen

As you’ll soon discover, most HIPAA violations stem from preventable failures. In many cases, the organization had policies in place, but they weren’t enforced, monitored, or updated as the business evolved. Others lacked basic safeguards altogether.

The most common contributing factors include:

• Unmonitored access to PHI. When organizations don’t review who has access or how that access is used, employees can browse or misuse patient records without detection.

• Manual compliance processes. Tracking policies, access logs, or audit trails in spreadsheets creates blind spots and delays that expose organizations to risk.

• Incomplete or outdated risk assessments. HIPAA requires organizations to identify, assess, and document risk. Skipping this step (or treating it as a one-time task) leaves gaps that attackers or auditors eventually find (and the former exploit).

• Lack of employee training. HIPAA isn’t just an IT or compliance issue. Everyone who touches PHI needs up-to-date training and documented acknowledgment of responsibilities.

• Third-party exposure. Business associates often handle large volumes of PHI, but not all are monitored properly. Missing or insufficient Business Associate Agreements (BAAs) increase liability.

• Delayed breach response. Even a strong program can fall apart if there’s no straightforward workflow for identifying, investigating, and reporting incidents within HIPAA’s 60-day window.

Each of these issues compounds over time. As teams scale or systems change, minor oversights can evolve into major compliance failures.

10 Examples of HIPAA Violations

Not every HIPAA violation makes headlines, but the most common types show up again and again in OCR investigations. Some happen due to obvious mistakes, while others occur because basic safeguards were missing or ignored. Below are ten examples, including enforcement cases, that illustrate the very real consequences of non-compliance.

1. Unauthorized Access to Patient Records

Unauthorized access occurs when a workforce member (often an employee) views a patient’s medical information without a valid reason. This isn’t always malicious—it might be a nurse checking on a relative’s file or an admin browsing out of curiosity. However, HIPAA doesn’t make exceptions for curiosity.

OCR defines this as impermissible use or disclosure under the Privacy Rule, and it’s one of the most common triggers for enforcement actions.

In one of the most publicized HIPAA settlements to date, UCLA Health agreed to pay $865,500 after employees accessed the medical records of celebrity patients without authorization. The investigation uncovered broader issues: the organization didn’t have adequate safeguards to monitor access to PHI and failed to strengthen its controls after earlier incidents.

The violations weren’t isolated. OCR noted that the health system lacked a reliable method to detect and respond to unauthorized access across its workforce, leaving patient privacy at risk over an extended period.

2. Lost or Stolen Unencrypted Devices

When laptops, external drives, or mobile devices go missing, the risk of a HIPAA violation depends on one factor: encryption. If protected health information (PHI) on the device is not encrypted, the incident is presumed to be a breach, even if there’s no evidence the data was accessed. This presumption can only be rebutted with a documented risk assessment showing a low probability of compromise. 

HIPAA’s Breach Notification Rule requires a four-factor risk assessment to determine if unsecured PHI has been breached. Lack of encryption triggers the presumption of breach, but organizations can still rebut it with a documented assessment showing low risk.

In nearly every enforcement case involving a lost or stolen device, OCR has determined that no suitable alternative was in place. For instance, Feinstein Institute paid a $3.9 million settlement after an unencrypted laptop containing the electronic PHI of over 13,000 patients was stolen from an employee’s car. The information included names, dates of birth, diagnoses, medications, and other sensitive information.

OCR found that the Feinstein Institute failed to conduct a proper risk analysis, implement policies for mobile device security, and encrypt PHI on portable devices despite the risks.

The breach exposed a longstanding gap in data protection, and OCR’s resolution agreement required the organization to overhaul its risk management, workforce training, and device security protocols.

3. Failure to Conduct a Risk Assessment

Under HIPAA, every covered entity and business associate must conduct a risk assessment to identify potential vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI). It’s not optional, and it’s not a one-time task.

A proper risk analysis includes identifying where ePHI is stored, how it’s accessed, who has access, and what threats exist across systems and vendors. From there, organizations have to document the likelihood and potential impact of each risk, prioritize mitigation efforts, and keep this analysis current as systems evolve.

OCR consistently cites failure to perform a thorough, organization-wide risk analysis as a foundational gap in HIPAA enforcement actions. Case in point: after a cyberattack exposed the data of almost 79 million individuals, including names, Social Security numbers, and medical IDs, OCR launched an investigation into Anthem Inc.’s security practices. The outcome was a $16 million settlement, the largest HIPAA fine to date.

OCR found that Anthem had not conducted an enterprise-wide risk analysis before the breach. The organization also failed to implement sufficient minimum access controls and lacked mechanisms to review system activity regularly.

4. Improper Disposal of PHI

Disposing of sensitive records without properly destroying them creates an easy path to a breach. Documents, drives, and labeled containers that aren’t fully destroyed can expose PHI to the public, and can lead to a reportable breach, regardless of intent.

HIPAA’s Privacy and Security Rules set clear expectations for how both physical and electronic PHI should be discarded. Records must be rendered unreadable, indecipherable, and irretrievable. When that doesn’t happen, OCR investigates.

Cornell Prescription Pharmacy proved that not even small, local organizations are impervious to HIPAA violations and their consequences. The Denver-based healthcare provider paid a $125,000 settlement after patient records were found in an unlocked, open container on Cornell’s premises. The discarded, unshredded documents included names, dates of birth, medication details, and other identifiable information.

OCR’s investigation revealed the pharmacy had no formal, written disposal policy, and staff had not been trained on secure destruction practices. As a result, records were routinely discarded in a way that put patient privacy at risk.

5. Disclosing PHI Without Authorization

Sharing protected health information without valid patient authorization (whether intentional or not) violates HIPAA’s Privacy Rule. This includes disclosing information verbally, in writing, online, or through any other channel not explicitly permitted by law or covered under treatment, payment, or healthcare operations.

These violations often occur in routine interactions: emails sent to the wrong recipient, oversharing with family members, or disclosing patient details in public settings. When disclosures happen outside permitted use cases, they’re treated as breaches.

Elite Dental Associates in Dallas, for example, paid a $10,000 settlement after the practice publicly responded to patient reviews on Yelp by including full names and treatment details.

OCR found that the healthcare facility had no policies governing social media use or public responses to patient feedback. In an attempt to defend itself online, the practice exposed confidential health information without authorization, violating HIPAA and damaging patient trust in the process.

6. Delayed Breach Notification

HIPAA gives covered entities and business associates 60 days to notify affected individuals after discovering a breach involving unsecured PHI. That timeline starts the day the breach is discovered, not the day it’s confirmed or investigated.

Failing to meet this deadline is a violation in itself, even if the underlying incident was handled properly. OCR treats delays as a breakdown in incident response procedures and often uses them to evaluate the maturity of an organization’s compliance program.

Presence Health, one of Illinois' largest healthcare networks, made history as the first HIPAA enforcement action for lack of timely breach notification. The organization agreed to a $475,000 settlement after waiting more than 100 days to notify patients of a breach involving paper records from surgery schedules, among other sensitive data. The incident affected 836 individuals. While relatively small in scope, the delayed notification was enough to trigger enforcement. 

7. No Business Associate Agreement (BAA) in Place

Organizations that work with vendors handling protected health information must have a signed Business Associate Agreement in place before any data is shared. This legal contract outlines each party’s responsibilities for safeguarding PHI under HIPAA.

Without a BAA, even a trusted third-party becomes a compliance risk. HIPAA doesn’t distinguish between a vendor’s mistake and the covered entity’s failure to formalize the relationship, and both are liable if a breach occurs.

In a 2016 case, Raleigh Orthopaedic Clinic agreed to a $750,000 settlement after hiring a third-party vendor to transfer and destroy X-ray films containing PHI. The clinic failed to execute a BAA before disclosing the information, and although the vendor handled the records, OCR held the clinic accountable for failing to obtain contractual assurances that HIPAA protections were in place. 

8. Filming Patients Without Consent

It’s not the first thing most people associate with HIPAA, but believe it or not, reality TV can be a compliance risk. Letting a camera crew into a hospital sounds like a great way to tell human stories. It’s also a fast way to expose protected health information if the right guardrails aren’t in place.

In 2016, three Boston-area hospitals—Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital—faced a combined $999,000 in fines after allowing an ABC crew to film inside emergency departments without full, written authorization from every patient recorded.

The footage was intended for a network series, Boston Med TV. The hospitals failed to obtain proper authorizations from all patients who were filmed, leading to unauthorized disclosures of PHI.

The Department of Health and OCR emphasized that patients expect privacy and medical treatment, not to be filmed during vulnerable moments. The settlements required the hospitals to implement corrective action plans, including policy revisions and staff training to prevent future violations.

9. Denying Patients Access to Health Records

Under HIPAA’s Privacy Rule, patients have the right to access their medical records within 30 days of a request. Failing to provide timely access violates this provision and can lead to significant penalties.

In one instance, Optum Medical Care, a multi-specialty physician group serving patients in New Jersey and Southern Connecticut, agreed to pay $160,000 after failing to provide a parent with timely access to her child’s medical records. Over the span of several months, the mother filed six separate complaints with the OCR, citing repeated delays and failures to respond.

The OCR’s investigation confirmed that the organization did not meet HIPAA’s access timelines. In some cases, records were provided more than 200 days after the request was submitted.

Although Optum did not admit wrongdoing, it agreed to implement a corrective action plan and undergo two years of OCR monitoring.

10. Insufficient ePHI Access Controls

When access to electronic protected health information isn’t managed and monitored, people who shouldn’t see sensitive data will (and often do). HIPAA’s Security Rule requires technical safeguards to limit system access to authorized users, and that includes revoking access when roles change, logging activity, and reviewing who’s in the system on a regular basis.

The consequences of not doing so can be rather expensive. Memorial Healthcare System paid $5.5 million after failing to terminate access for a former employee of an affiliated physician practice. The credentials remained active for more than a year, during which time they were used to access the electronic PHI of over 115,000 individuals.

OCR’s investigation found that Memorial Healthcare System didn’t have procedures in place to review and update user access. Logs weren’t audited, and access reports weren’t reviewed consistently, despite a policy that required both. This wasn’t a case of external compromise. It was internal, prolonged, and preventable.

How to Prevent HIPAA Violations

Speaking of preventable, every example in this article points to the same conclusion: HIPAA violations are usually the result of avoidable gaps, whether they’re missed steps, outdated processes, or unchecked access. Ongoing HIPAA compliance ensures you’re building systems that hold up over time.

Below are the core practices that reduce risk and strengthen your HIPAA posture.

Conduct Thorough and Ongoing Risk Assessments

A HIPAA risk assessment that doesn’t cut corners is the baseline for compliance. It tells you where protected health information is stored, who can access it, and what could go wrong if systems fail, people make mistakes, or data is exposed.

HIPAA’s Security Rule requires covered entities and business associates to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities” to the confidentiality, integrity, and availability of electronic PHI. The OCR expects this analysis to be documented, organization-wide, and updated regularly, not just created once and filed away. (The HHS states that “some covered entities may perform these processes annually or as needed, e.g., biannually or every 3 years, depending on the circumstances of their environment”).

That means identifying:

• All systems, devices, and applications that store or transmit PHI.

• The users and roles that interact with those systems.

• Known threats, vulnerabilities, and likelihood of exploitation.

• The potential impact of an incident.

• Existing security controls and whether they’re working as intended.

More than a compliance requirement, a risk analysis is a map of where your sensitive data is most exposed. Without it, you’re operating blind, reacting late, and often discovering issues only after a breach.

Limit Access to PHI Based on Role and Need

Access to protected health information should be assigned, not assumed. HIPAA requires that access to electronic PHI be limited to individuals who need it to do their jobs. That includes defining roles, assigning permissions accordingly, and regularly reviewing who has access to what.

Role-based access controls (RBAC) ensure users only see the minimum necessary information to perform their duties. For example, a scheduler doesn’t need access to diagnostic records, and a billing team doesn’t need to view clinical notes. Without access controls in place, your organization can’t reliably prevent unauthorized access or detect it when it happens.

Effective access control also includes:

• Provisioning and deprovisioning access quickly as roles change.

• Reviewing user access on a scheduled basis (e.g., quarterly).

• Monitoring access logs for unusual or unauthorized activity.

• Disabling accounts immediately when someone leaves the organization.

In enforcement actions, the OCR often points to access control failures as the underlying issue, even when the violation appears to be a simple mistake. If your system doesn’t limit or track access, you're not in control of your data.

Train Staff to Recognize and Prevent Violations

Every employee who touches protected health information (PHI) plays a role in HIPAA compliance. That includes physicians, administrative staff, IT teams, contractors, and temporary personnel. If someone can access PHI, they need training—no exceptions.

HIPAA’s Privacy and Security Rules require relevant and repeatable workforce training. Training must cover not just the rules but also how they apply to the employee’s specific role. For example, a front desk coordinator needs to understand when it's appropriate to share information with a family member, and a developer needs to know what’s considered PHI in system logs. One-size-fits-all training doesn’t cut it.

Strong programs include:

• Clear examples of real-world HIPAA violations.

• Guidance on how to respond to suspected data breaches or inappropriate access.

• Training logs and signed acknowledgments to document participation.

• Refreshers and policy reviews whenever procedures change.

The OCR has issued penalties in multiple cases where the violation wasn’t malicious, but rather preventable through training. A staff member didn’t know the rules, didn’t follow them, or had no reason to believe they needed to.

Encrypt Devices and Secure Data in Transit

Encryption isn’t mandatory under HIPAA, but if you choose not to use it, you need to document why and what alternative safeguards are in place. In most cases, there isn’t a better alternative. Encryption is simply the most effective way to prevent unauthorized access when a device is lost, stolen, or compromised.

HIPAA’s Security Rule classifies encryption as an “addressable implementation specification,” which means organizations must assess whether it’s reasonable and appropriate to use—and if not, they must justify and document an equivalent solution. 

Key areas to address include:

• Encrypting laptops, mobile devices, and removable drives that store or access PHI.

• Using end-to-end encryption for email and file transfers.

• Avoiding sending PHI through unencrypted channels like personal email or consumer-grade messaging apps.

• Ensuring backups and archives are also encrypted.

Encryption doesn’t prevent every kind of breach, but it might change the outcome. When devices are appropriately encrypted and the encryption keys are protected, you may not need to report a breach at all under the Breach Notification Rule.

Respond to Incidents Quickly and Within the 60-Day Timeline

HIPAA’s Breach Notification Rule gives covered entities 60 calendar days from the discovery of a breach to notify affected individuals. That deadline isn’t flexible, and it applies even if the scope of the incident is still being investigated.

Organizations often get tripped up not because they fail to respond, but because they delay. Internal debate, legal review, or uncertainty about whether an event qualifies as a breach can drag timelines past the point of compliance. The OCR considers delayed notification a separate violation, even when the breach itself was handled appropriately.

To stay within the rules:

• Define what counts as a reportable breach

• Create documented procedures for investigating security incidents

• Assign internal ownership to ensure deadlines are tracked

• Maintain pre-drafted templates and workflows for breach notifications

Put HIPAA Compliance on Autopilot With Drata

Manual compliance work leads to gaps. Gaps lead to violations. Drata helps you avoid both.

Our platform connects to your tech stack to automatically enforce access controls, track policy acknowledgments, monitor risk, and collect audit-ready evidence across your entire organization. HIPAA frameworks are built in, so instead of chasing documentation, your team can stay focused on scaling securely.

More visibility and less manual work mean no surprises during an audit.

Schedule a demo to see how Drata helps you stay compliant without slowing down.

HIPAA Violation Examples Frequently Asked Questions (FAQs)

Below we answer some of the most common questions about HIPAA violations and their consequences.

What is Considered a HIPAA Violation?

A HIPAA violation occurs when a covered entity or business associate fails to comply with one or more provisions of the HIPAA Privacy, Security, or Breach Notification Rules. That includes improper access, use, or disclosure of protected health information (PHI), failure to implement security measures, or failure to provide patients with timely access to their records.

Common examples include:

• An employee accessing a patient’s record out of curiosity

• PHI emailed or faxed to the wrong recipient

• A lost or stolen laptop containing unencrypted PHI

• Using patient information in public responses to online reviews

• Delays in responding to a parent’s request for a child’s medical records

• Failing to revoke system access for a former employee

• Allowing film crews into treatment areas without written authorization

How Long Do I Have to Report a Breach Under HIPAA?

Covered entities have 60 calendar days from the date a breach is discovered (not confirmed) to notify affected individuals. That timeline is fixed, and delays in investigation, legal review, or internal approvals do not extend the deadline.

What’s the Penalty for a HIPAA Violation?

Civil penalties range from $100 to $50,000 per violation, depending on the level of negligence, with an annual cap of $1.5 million. Criminal penalties can include fines up to $250,000 and ten years in jail for knowingly misusing PHI.

Do HIPAA Violations Always Lead to Fines?

Not always. OCR may choose to resolve a case through voluntary compliance or a corrective action plan. But in cases of willful neglect, repeated violations, or harm to individuals, financial penalties are common and public.

Does HIPAA Apply to Vendors?

Yes. Any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity is considered a business associate and must comply with HIPAA. That includes signing a Business Associate Agreement (BAA) and implementing appropriate safeguards.