Common HIPAA breaches and How to Avoid Them
Every year, the Office for Civil Rights (OCR) investigates thousands of HIPAA breaches that expose protected health information and cost healthcare groups millions in penalties. Understanding the most frequent rule-keeping failures is the first step toward building a culture of privacy and security that protects both patients and your group.
Whether you manage a large hospital system or a small medical practice, HIPAA breaches can strike any group that handles health data (PHI). This guide covers the top breaches OCR encounters, the penalties you face, real enforcement actions, and actionable prevention strategies your team can implement today.
The Top 10 Most Common HIPAA breaches
1. Failure to Conduct a Risk review
The single most cited HIPAA breach in OCR enforcement actions is the failure to perform a complete, group-wide risk review. Many groups either skip this rule entirely or conduct superficial reviews that fail to identify real weak spots.
A proper risk review must check all systems that create, receive, keep, or transmit digital PHI (ePHI). It must identify threats, weak spots, and the likelihood and impact of possible breaches. groups that neglect this foundational rule leave themselves exposed to both security incidents and rule-based penalties.
2. Unauthorized Access to Patient Records
Employees accessing patient records without a legitimate work-related reason remains one of the most persistent HIPAA breaches. This includes:
- Snooping on celebrity or VIP patient records
- Looking up records of family members, friends, or neighbors
- Accessing records of coworkers or former patients out of curiosity
- Viewing records unrelated to job duties
Even a single unapproved access event counts as a HIPAA breach and can trigger enforcement action.
3. Inadequate Access Controls
Failing to implement proper access controls on systems containing ePHI is a tech safeguard breach under the HIPAA Security Rule. Common failures include shared login credentials, lack of role-based access, failure to end access for former employees, and absence of multi-factor login checks.
4. Improper Disposal of PHI
Throwing paper records containing PHI into regular trash bins or failing to properly wipe digital devices before disposal creates major risk. groups must shred paper records and use certified data destruction methods for digital media.
5. Lack of data scrambling on Portable Devices
Lost or stolen laptops, smartphones, USB drives, and tablets account for a large percentage of reported breaches. When these devices contain unencrypted ePHI, every lost device becomes a reportable breach. data scrambling transforms this risk by rendering the data unreadable to unapproved people.
6. Failure to keep Business Associate Agreements
Covered groups must execute written Business Associate Agreements (BAAs) with every vendor, contractor, or partner that accesses PHI on their behalf. Many groups fail to identify all their business associates or allow agreements to lapse without renewal.
7. Insufficient Employee Training
HIPAA requires regular training for all team members on policies and steps related to PHI. groups that provide only initial onboarding training or skip annual refreshers leave their staff uninformed about current threats, policy changes, and proper handling steps.
8. Denying Patient Access to Records
Under the Privacy Rule, patients have the right to access their medical records within 30 days of a request. Charging excessive fees, creating unnecessary barriers, or outright denying access counts as a breach that OCR has aggressively pursued in recent years through its Right of Access Initiative.
9. Failure to Document Compliance Efforts
HIPAA requires groups to keep written policies, steps, and written records of rule-keeping actions for a minimum of six years. Without proper written records, groups cannot show rule-keeping during an audit or review, even if they have strong habits in place.
10. Improper shares of PHI
Sharing patient information without proper access rights, disclosing more information than needed, or failing to apply the minimum needed standard when communicating PHI are common Privacy Rule breaches. This includes conversations in public areas, unencrypted emails, and faxes sent to wrong numbers.
HIPAA Penalty Tiers: What breaches Cost
OCR enforces HIPAA through a tiered penalty structure that reflects the severity and intent behind each breach. Understanding these tiers helps groups appreciate the financial stakes of non-rule-keeping.
Tier 1: Lack of Knowledge
- Penalty range: $141 to $35,581 per breach
- Annual maximum: $35,581
- Applies when: The group was unaware and could not have reasonably known about the breach
Tier 2: fair Cause
- Penalty range: $1,424 to $71,162 per breach
- Annual maximum: $142,355
- Applies when: The group knew or should have known about the breach but did not act with willful neglect
Tier 3: Willful Neglect (Corrected)
- Penalty range: $14,232 to $71,162 per breach
- Annual maximum: $355,808
- Applies when: The breach resulted from willful neglect but the group corrected it within 30 days
Tier 4: Willful Neglect (Not Corrected)
- Penalty range: $71,162 per breach (minimum)
- Annual maximum: $2,134,831
- Applies when: The breach resulted from willful neglect and was not corrected within 30 days
Criminal penalties can also apply, with fines up to $250,000 and imprisonment up to 10 years for breaches involving intent to sell, transfer, or use PHI for personal gain or malicious harm.
Real Enforcement Examples
Recent OCR enforcement actions illustrate the consequences of common breaches:
- Banner Health (2023): $1.25 million settlement for failing to conduct an enterprise-wide risk analysis and implement enough security measures, following a breach affecting 2.81 million people.
- Advocate Medical Group: $5.55 million settlement after multiple breaches involving unencrypted laptops, highlighting the cost of failing to implement device data scrambling.
- Cignet Health: $4.3 million penalty for denying patients access to their medical records, one of the largest penalties under the Right of Access Initiative.
- Premera Blue Cross: $6.85 million settlement following a breach caused by a phishing attack, emphasizing the importance of employee training and tech protections.
These cases show that OCR pursues breaches of all types and sizes, and that settlements frequently exceed $1 million for systemic rule-keeping failures.
Prevention Strategies That Work
Build a Compliance-First Culture
Preventing HIPAA breaches starts at the top. Leadership must visibly prioritize rule-keeping, allocate enough resources, and hold all team members accountable. A rule-keeping-first culture treats privacy and security as core team-level values, not just rule-based checkboxes.
Key cultural elements include:
- named Privacy and Security Officers with authority and resources
- Regular rule-keeping reporting to senior leadership and the board
- Clear consequences for policy breaches, applied consistently
- Open reporting channels where employees can raise concerns without fear of retaliation
Implement complete Training Programs
Effective training goes beyond annual slide decks. groups should implement:
- Role-based training tailored to specific job functions and access levels
- Phishing simulations to test and reinforce email security knowledge
- Scenario-based exercises that reflect real situations employees encounter
- Quarterly refreshers on emerging threats and policy updates
- New hire training completed before access to PHI is granted
Strengthen Technical protections
Technical controls form the backbone of healthcare cybersecurity. Essential measures include:
- data scrambling for all ePHI at rest and in transit
- Multi-factor login checks for all systems containing PHI
- Automated access ending when employees change roles or leave
- Audit logging with regular review of access patterns
- Network segmentation to isolate systems containing PHI
Conduct Regular Risk reviews
Annual risk reviews are the minimum. groups should also reassess when introducing new technology, changing workflows, experiencing security incidents, or engaging new business associates. Document all findings and track fixes efforts to completion.
For a detailed guide on running effective reviews, see our HIPAA Risk review Process article.
Prepare for Breach Response
Even with strong prevention, breaches can occur. Having a tested incident response plan ensures your group meets breach notice rules and minimizes damage. Conduct tabletop exercises at least annually and update your plan based on lessons learned.
The Critical Role of Employee Training
Employee error and negligence remain the leading causes of HIPAA breaches. No amount of tech investment can compensate for a team that does not understand its duties. Training transforms employees from your greatest weak spot into your strongest defense.
Effective training programs share these characteristics:
- They are ongoing, not one-time events
- They use real examples and scenarios relevant to the audience
- They include testing and verification to confirm understanding
- They are written down to show rule-keeping during audits
- They are updated to reflect new threats and rule-based changes
groups that invest in robust training programs consistently experience fewer breaches, faster incident detection, and stronger audit outcomes.
HIPAA breaches FAQ
What is the most common HIPAA breach?
Failure to conduct a complete risk review is the most frequently cited breach in OCR enforcement actions. This foundational rule underpins the entire HIPAA Security Rule, and its absence often correlates with multiple other rule-keeping failures.
Can person employees be fined for HIPAA breaches?
Yes. While most civil penalties target groups, person employees can face criminal charges for knowingly obtaining or disclosing PHI without access rights. Criminal penalties include fines up to $250,000 and imprisonment up to 10 years depending on the severity and intent.
How long does an group have to report a HIPAA breach?
groups must report breaches of unsecured PHI to affected people without unreasonable delay and no later than 60 calendar days after discovering the breach. Breaches affecting 500 or more people must also be reported to HHS and prominent media outlets within the same timeframe.
Do small habits face the same penalties as large groups?
OCR considers the size and resources of an group when determining penalties, but small habits are not exempt from enforcement. Several small habits have faced major fines, especially for denying patient access to records or failing to implement basic security measures.
What should I do if I discover a HIPAA breach in my group?
Immediately report the breach through your group’s internal reporting channels. Document the incident, contain any ongoing exposure, conduct a risk review to determine if the incident counts as a breach, and follow your incident response steps. Early detection and swift action can greatly reduce both harm and penalties.
Avoiding HIPAA breaches: Final Thoughts
HIPAA breaches are preventable. The groups that avoid costly enforcement actions share common traits: they conduct thorough risk reviews, invest in employee training, implement strong tech protections, and build cultures where rule-keeping is a shared duty.
Understanding the most common breaches and their consequences empowers your group to address weak spots before they result in breaches, penalties, or loss of patient trust. Proactive rule-keeping is always less expensive than reactive fixes.
One Guy Consulting provides complete HIPAA rule-keeping support, from risk reviews and policy development to employee training programs and incident response planning. Contact us to strengthen your group’s rule-keeping posture and protect the patients who trust you with their most sensitive information. HIPAA training