Each year, the Office for Civil Rights (OCR) looks into thousands of HIPAA violations. These violations expose protected health information (PHI) and cost healthcare organizations millions in penalties. To build a culture of privacy and security, start by understanding the most common compliance failures. This will help protect both patients and your organization.
HIPAA violations can happen to any organization that manages health data, whether it's a large hospital system or a small dental office. This guide covers the 15 violations OCR encounters most often, the current penalty amounts you face, real named enforcement actions with settlement figures, and actionable prevention strategies your team can implement today.
The 5 Most Common HIPAA Violations by OCR Complaint Category
OCR publishes annual data on the types of complaints it investigates and resolves. The five categories that generate the most enforcement activity are consistent year over year:
- Impermissible uses and disclosures of PHI — sharing patient data without authorization or beyond what is needed
- Lack of adequate safeguards for PHI — not putting in place the needed administrative, physical, or technical controls
- Failure to conduct a security risk assessment — the single most cited deficiency in OCR-initiated compliance reviews
- Failure to provide patients access to their records — a specific OCR enforcement initiative has targeted this aggressively since 2019
- Missing or expired Business Associate Agreements — required whenever a vendor handles PHI on your behalf
These five categories make up most OCR complaint investigations. Each one relates directly to specific HIPAA rules and can lead to serious financial penalties.
HIPAA Violation Penalty Tiers: 2025 Fine Schedule
OCR enforces HIPAA with a four-tier system of civil penalties. Penalty amounts are adjusted annually for inflation. The 2025 figures, effective under 45 CFR Part 160, are:
| Tier | Culpability Level | Per-Violation Range | Annual Cap (same violation) |
|---|---|---|---|
| Tier 1 | Lack of Knowledge — the organization did not know and could not have known of the violation | $100 – $50,000 | $25,000 |
| Tier 2 | Reasonable Cause — the organization knew or should have known but did not act with willful neglect | $1,000 – $50,000 | $100,000 |
| Tier 3 | Willful Neglect, Corrected — the violation resulted from willful neglect and was corrected within 30 days | $10,000 – $50,000 | $250,000 |
| Tier 4 | Willful Neglect, Not Corrected — willful neglect, not corrected within 30 days | $50,000 (minimum) | $1,900,000 |
Criminal penalties apply separately under 42 U.S.C. § 1320d-6 for intentional violations. Fines reach $250,000 and imprisonment up to 10 years for violations committed with intent to sell, transfer, or use PHI for personal gain or malicious harm.
Beyond civil money penalties, OCR frequently imposes corrective action plans (CAPs) — multi-year oversight deals that require documented compliance gains, regular reporting to OCR, and outside monitoring. CAPs can cost groups far more than the initial fine when staff time and consulting fees are added up.
The 15 Most Common HIPAA Violations (With Real Enforcement Examples)
1. Missing or Inadequate Security Risk Assessment
The most commonly cited HIPAA violation in OCR enforcement actions is the failure to conduct a complete, organization-wide security risk assessment. Under 45 CFR 164.308(a)(1), OCR requires a documented risk assessment. It must identify all systems that create, receive, maintain, or transmit electronic PHI (ePHI). The assessment should evaluate threats and vulnerabilities, and determine the likelihood and potential impact of each risk.
Real enforcement case: In 2023, Banner Health paid a $1.25 million settlement after OCR found the organization failed to conduct an enterprise-wide risk analysis, among other Security Rule failures. The case stemmed from a breach affecting 2.81 million individuals.
Prevention: Conduct a documented risk assessment at least once a year. Do this also when major operational changes occur, such as new EHR systems, mergers, new locations, or security incidents. The free HHS Security Risk Assessment Tool (SRA Tool) is a recognized starting point.
2. Missing Business Associate Agreements
Covered entities must execute written Business Associate Agreements (BAAs) with every vendor, contractor, or partner that accesses, uses, or discloses PHI on their behalf — required under 45 CFR 164.308(b)(1) and 164.314(a). Missing, unsigned, or expired BAAs are among the most frequently cited violations in OCR settlements.
Real enforcement case: Roper St. Francis Healthcare paid $1.625 million in 2023 after a ransomware attack revealed the organization lacked BAAs with multiple vendors that had access to PHI.
Prevention: Maintain a vendor inventory that tracks every third party with PHI access. Audit BAA status annually and set renewal reminders before agreements expire.
3. Insufficient Access Controls
Not setting up proper access controls on systems holding ePHI is a technical safeguard violation under 45 CFR 164.312(a)(1). Common failures include shared login details, no role-based access controls, not ending access for former staff, and lack of multi-factor authentication (MFA).
Real enforcement case: Yakima Valley Memorial Hospital paid $240,000 in 2023 after 23 employees used their system access to inappropriately view the records of a fellow employee who was a patient. OCR found inadequate access controls were the root cause.
Prevention: Implement role-based access so staff can only view PHI necessary for their job duties. Enforce MFA on all systems containing ePHI. Audit access logs regularly and terminate credentials same-day when employees leave.
4. Lack of Encryption on Portable Devices
Lost or stolen laptops, smartphones, USB drives, and tablets make up a large share of reported breaches. When these devices hold unencrypted ePHI, every loss is a reportable breach under 45 CFR 164.312(a)(2)(iv). Encryption is an addressable — not optional — rule that OCR expects covered entities to either put in place or document a clear reason for not doing so.
Real enforcement case: Advocate Medical Group paid a $5.55 million settlement after multiple laptop thefts exposed the PHI of over 4 million patients. The root cause was failure to implement device encryption.
Prevention: Encrypt all portable devices and removable media using FIPS 140-2 validated encryption. Set up mobile device management (MDM) with remote wipe for all devices that access ePHI.
5. Impermissible Disclosure of PHI
Sharing patient data without proper consent, giving out more than the minimum needed, or not checking who you are sending PHI to are Privacy Rule violations under 45 CFR 164.502. Common cases include faxes sent to wrong numbers, unencrypted emails with PHI (see our HIPAA email compliance guide), and talks in public areas.
Real enforcement case: Memorial Hermann Health System paid $2.4 million after a senior vice president’s name appeared in a press release alongside a patient’s name and immigration status, constituting an impermissible disclosure.
Prevention: Train staff on the minimum necessary rule before every disclosure. Use secure messaging for PHI and verify fax numbers before sending. See our guide on whether faxing is HIPAA compliant.
6. Failure to Provide Patient Access to Records
Under 45 CFR 164.524, patients have the right to access their medical records within 30 days of a request (extendable by 30 days with written notice). Charging excessive fees, creating unnecessary bureaucratic barriers, or outright denying access are violations OCR has pursued aggressively through its Right of Access Initiative since 2019.
Real enforcement case: Cignet Health of Prince George’s County was fined $4.3 million — one of the largest penalties in HIPAA history — primarily for refusing to provide 41 patients with access to their medical records.
Prevention: Establish a documented patient access request process. Train front desk staff on response timelines. Ensure fees are limited to the reasonable cost of producing the records, as defined under OCR guidance.
7. Inadequate Workforce Training
HIPAA requires training for all workforce members on policies and procedures relevant to their functions, under 45 CFR 164.530(b)(1) (Privacy Rule) and 164.308(a)(5) (Security Rule). Organizations that provide only initial onboarding training, skip annual refreshers, or fail to document completion records are frequently cited during OCR audits.
Real enforcement case: Premera Blue Cross paid a $6.85 million settlement after a phishing attack exposed the PHI of over 10 million individuals. OCR found the organization failed to implement adequate security awareness and training programs.
Prevention: Set up yearly role-based training with documented completion records. Run phishing drills quarterly. Update training content whenever policies change.
8. Improper PHI Disposal
Disposing of paper records in regular trash bins or failing to properly sanitize digital devices before disposal violates 45 CFR 164.310(d)(2)(i) (Device and Media Controls) and 164.530(c) (Safeguards). Even a single improperly discarded document containing a patient name and diagnosis is a reportable violation.
Real enforcement case: Filefax, Inc. — a medical records storage company — was fined $100,000 after OCR discovered PHI from over 2,150 individuals had been left in an unlocked vehicle and later transported to a paper recycling facility without proper destruction.
Prevention: Use locked shred bins for all paper PHI. Engage NAID AAA-certified shredding vendors with BAAs. For digital devices, require certificates of destruction from HIPAA-compliant data destruction vendors.
9. Unauthorized Access by Employees (Snooping)
Staff looking at patient records without a real work-related reason is one of the most stubborn HIPAA violations — and one of the hardest to stop through technical controls alone. This includes looking up celebrity records, accessing records of friends or family members, or viewing records out of personal curiosity.
Real enforcement case: Montefiore Medical Center paid $4.75 million after an employee sold the PHI of 12,517 patients to an identity theft ring. OCR found the hospital failed to implement appropriate audit controls to detect unauthorized access.
Prevention: Configure EHR audit logging to flag unusual access patterns. Conduct regular access log reviews. Enforce a zero-tolerance snooping policy with clear consequences, up to and including firing.
10. Texting PHI on Personal Devices
Standard SMS and consumer messaging apps (iMessage, WhatsApp, standard texting) are not HIPAA-compliant channels for PHI. When staff text patient information — diagnoses, appointment details, test results — via personal phones, they create an unsecured transmission that violates 45 CFR 164.312(e)(1).
Prevention: Deploy a HIPAA-compliant secure messaging platform (such as TigerConnect, Imprivata Cortext, or similar). Set a clear written policy banning PHI sent via standard SMS. Include this in new-hire training and yearly refreshers.
11. Posting Patient Information on Social Media
Employees posting about patients on social media — even without using a name, if the patient could be identified from context — is a serious Privacy Rule violation. Photos taken in clinical areas that show patient details in the background are just as risky.
Real enforcement case: Denta Quest paid $70,000 after a workforce member impermissibly disclosed a patient’s PHI on a public social media site following a patient complaint.
Prevention: Establish a clear social media policy for healthcare staff that explicitly prohibits discussing patients online. Include specific examples of what constitutes a violation. Apply the policy to personal accounts, not just work accounts.
12. Lost or Stolen Unencrypted Devices
This violation overlaps with the encryption issue above but deserves its own section because it is so common. Losing a single unencrypted laptop triggers a breach notice, an OCR probe, and possible fines — all of which are fully avoidable with full-disk encryption.
Real enforcement case: Concentra Health Services paid $1.725 million after a single unencrypted laptop was stolen from one of its facilities. OCR found that despite prior knowledge of encryption risks, the organization had not implemented encryption across its devices.
Prevention: Require full-disk encryption (BitLocker, FileVault, or similar) on every device that can access ePHI. Note this rule in your Security Rule policies. Check encryption status via MDM tools.
13. Missing Audit Controls on EHR Systems
The HIPAA Security Rule requires covered entities to put in place hardware, software, and steps that record and review activity in systems holding ePHI, under 45 CFR 164.312(b). Many groups turn on logging but never actually check the logs — which OCR views as having no audit controls at all.
Prevention: Configure your EHR to log all access events, including failed login attempts, record views, edits, and exports. Assign responsibility for log review to a specific role. Investigate anomalies — off-hours access, bulk record views, or access to recently discharged patients — on a regular schedule.
14. PHI Discussed in Public Areas
Conversations about patients at the nursing station, in elevators, in waiting rooms, or in any area where unauthorized individuals may overhear are Privacy Rule violations under 45 CFR 164.530(c). This is particularly common in open-layout medical offices and dental practices with shared waiting areas.
Prevention: Set up physical privacy safeguards — frosted glass at check-in counters, privacy screens on monitors facing waiting areas, and set-aside private areas for clinical talks. Train staff to default to private spaces for any chat involving patient details.
15. Website Tracking Pixels Transmitting PHI (2023–2025 Trend)
OCR issued guidance in December 2022 stating that tracking tools (Meta Pixel, Google Analytics, and similar) on healthcare websites and patient portals can send PHI to third parties without consent — a breach of the Privacy and Security Rules. This has been an active enforcement area since 2023.
Real enforcement case: Several health systems including Advocate Aurora Health (13 million patients) and Novant Health faced OCR probes and class action lawsuits. Tracking pixels on their MyChart patient portals sent PHI to Meta and Google without valid consent.
Prevention: Audit all tracking tools on your website and patient portal. Remove or block any pixel or script that fires on pages behind login or that could send IP addresses along with health-related content. If tracking tools are needed, make sure third-party BAAs are in place and that tracking is limited to non-PHI pages.
Industry-Specific Violation Patterns
Dental Office Violations
Dental practices face a distinct set of common violations driven by their size, software ecosystem, and patient interaction model:
- Missing BAAs with dental software vendors. Dentrix, Eaglesoft, Weave, Demandforce, and similar platforms all require signed BAAs. Many small dental practices have never executed these agreements.
- No security risk assessment on record. OCR’s audit protocol specifically targets this for small practices. A dental office with 10 employees and no documented SRA is a straightforward enforcement target.
- Radiograph and patient photo handling. Digital X-rays and intraoral photos are PHI. Sharing them via unencrypted email or consumer file-sharing services is a common violation.
- Front desk conversations. Confirming appointments or discussing treatment in crowded waiting rooms is among the most cited dental practice violations in OCR complaints.
For a complete compliance framework, see our guide to HIPAA compliance for dental practices.
Hospital and Health System Violations
Bigger groups face scale-driven violations that smaller practices rarely see:
- Enterprise-wide risk assessment gaps. Hospitals with many sites often run risk assessments at the facility level without an enterprise-wide view — the gap OCR targeted in the Banner Health case.
- Employee snooping at scale. With thousands of staff and millions of patient records, unauthorized access by curious workers is nearly certain without strong audit controls and enforcement culture.
- Subcontractor chain failures. Large health systems use dozens of IT vendors, billing companies, and cloud providers — each of which requires a BAA and each of which introduces risk.
- EHR migration errors. System migrations are high-risk events. Data transferred to new platforms without proper access controls or encryption has triggered several major settlements.
Health Tech and Digital Health Violations
Digital health startups and health tech firms face a unique enforcement landscape:
- Incorrect covered entity determination. Many digital health firms do not realize they count as business associates — or in some cases, covered entities — until after a breach occurs.
- Third-party SDK and API risks. Integrating analytics SDKs, ad networks, or AI APIs into apps that handle PHI without vetting for HIPAA compliance is a growing violation category. Learn more in our guide on whether ChatGPT is HIPAA compliant.
- Cloud misconfiguration. S3 buckets, Azure Blob Storage, and similar cloud resources holding ePHI left open to the public are reported often to OCR.
- No formal compliance program at all. Early-stage companies often defer compliance infrastructure until funding is secured — by which point violations may already have occurred.
HIPAA Violation Prevention Checklist
Use this checklist to assess your organization’s current compliance posture. Each item maps directly to one or more of the 15 violations above:
| Prevention Requirement | Rule Reference | Frequency |
|---|---|---|
| Documented security risk assessment completed | 45 CFR 164.308(a)(1) | Annual + triggered |
| BAA executed with all vendors who access PHI | 45 CFR 164.308(b)(1) | Before access granted; audit annually |
| Role-based access controls implemented and audited | 45 CFR 164.312(a)(1) | Quarterly access reviews |
| All portable devices and media encrypted | 45 CFR 164.312(a)(2)(iv) | Verified via MDM; ongoing |
| Workforce training completed and documented | 45 CFR 164.308(a)(5) | At hire + annual refresher |
| Patient access request process documented | 45 CFR 164.524 | Policy review annual |
| PHI disposal procedures in place (paper + digital) | 45 CFR 164.310(d)(2)(i) | Ongoing; vendor audit annual |
| EHR audit logs reviewed regularly | 45 CFR 164.312(b) | Monthly minimum |
| Secure messaging platform deployed for PHI | 45 CFR 164.312(e)(1) | Ongoing |
| Social media policy distributed and signed | 45 CFR 164.530(b) | At hire + annual |
| Website tracking technologies audited for PHI leakage | 45 CFR 164.502 / 164.306 | Annual + after any tech changes |
| Incident response plan tested via tabletop exercise | 45 CFR 164.308(a)(6) | Annual |
| Privacy and Security Officers designated in writing | 45 CFR 164.530(a) / 164.308(a)(2) | Ongoing; update when personnel change |
What to Do If Your Organization Has a Violation
Finding a HIPAA violation does not always mean a large fine. How your team responds matters a great deal to OCR’s enforcement choices.
- Contain the exposure immediately. Cut off unauthorized access, secure the affected systems, and save logs.
- Document the incident in detail. Record what happened, when it was discovered, who was affected, and what data was involved.
- Conduct a breach risk assessment. Apply the four-factor test under 45 CFR 164.402 to determine whether the incident meets the HIPAA definition of a breach requiring notification.
- Notify as required. If the incident qualifies as a breach, follow your breach notification obligations — individual notice within 60 days, HHS notice, and media notice if over 500 people in a state are affected.
- Remediate and document the fix. OCR gives strong credit for groups that self-report, cooperate fully, and show concrete corrective action. Documented fixes can cut fines sharply or lead to a deal with no fine at all.
OCR’s enforcement policy allows for lower or waived fines when groups show good faith, self-report violations, and take documented steps to fix them before OCR starts a probe. If a patient or OCR has already filed a formal complaint, see our guide to responding to a HIPAA complaint for the exact steps to follow.
Frequently Asked Questions
What is HIPAA noncompliance?
HIPAA noncompliance means failing to meet any requirement under the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule. Common forms of noncompliance include missing or outdated risk assessments, lack of written policies, no documented workforce training, unsigned Business Associate Agreements, and insufficient access controls on systems containing ePHI. OCR investigates noncompliance through complaint-driven reviews and proactive audits, with penalties ranging from $141 to over $2 million per violation category per year.
What is the most common HIPAA violation?
According to OCR enforcement data, failure to conduct a full, documented security risk assessment is the most cited violation in OCR enforcement actions. This key requirement under 45 CFR 164.308(a)(1) supports the entire HIPAA Security Rule. Its absence often goes hand in hand with other compliance failures across a group.
What are the fines for HIPAA violations in 2025?
HIPAA civil penalties are tiered based on culpability. Tier 1 (lack of knowledge) ranges from $100 to $50,000 per violation. Tier 4 (willful neglect, uncorrected) starts at $50,000 per violation with an annual cap of $1.9 million for repeat violations of the same type. Criminal penalties for intentional violations include fines up to $250,000 and imprisonment up to 10 years.
Can employees go to jail for HIPAA violations?
Yes. Intentional HIPAA violations — particularly unauthorized accessing or selling of PHI for personal gain — can result in criminal prosecution under 42 U.S.C. § 1320d-6. Sentences range from 1 year in prison for simple knowing violations up to 10 years for violations committed with intent to sell, use, or cause harm with PHI.
Are HIPAA violations public?
Breaches affecting 500 or more individuals are publicly listed on the HHS OCR Breach Portal, commonly called the “Wall of Shame.” OCR also publicly announces major enforcement settlements via press releases on hhs.gov. Smaller violations fixed through voluntary compliance are usually not made public.
What is the single most effective way to prevent HIPAA violations?
Running a thorough, documented security risk assessment each year — and acting on its findings through a written risk management plan — is the single most effective way to prevent HIPAA violations. Most OCR enforcement actions could have been avoided had the group found and fixed weak spots through a proper risk assessment. Groups that complete and act on their SRA are rarely the ones OCR targets for broad enforcement.
Avoiding HIPAA Violations: Final Thoughts
HIPAA violations are avoidable. The groups that dodge costly enforcement actions share common traits: they run thorough risk assessments, invest in staff training, use strong technical controls, keep vendor agreements current, and build cultures where compliance is a shared duty.
Knowing the 15 most common violations and their real-world results helps your team fix weak spots before they lead to breaches, fines, or loss of patient trust. The data is clear — proactive compliance always costs less than reactive cleanup.
One Guy Consulting provides full HIPAA compliance support, from security risk assessments and policy work to staff training programs and incident response planning.
Key stat: Risk analysis failures appear in over 70% of OCR enforcement actions. It is the single most common finding across all HIPAA investigations, regardless of whether a breach triggered the review.
Contact us to strengthen your team’s compliance posture and protect the patients who trust you with their most sensitive data.
Related: OCR Part 2 enforcement and what substance abuse providers need to know