Every year, the Office for Civil Rights (OCR) investigates thousands of HIPAA violations that expose protected health information (PHI) and cost healthcare organizations millions in penalties. Understanding the most frequent compliance failures is the first step toward building a culture of privacy and security that protects both patients and your organization.
Whether you manage a large hospital system or a small medical practice like a dental office, HIPAA violations can strike any organization that handles health data. This guide covers the 15 violations OCR encounters most often, the 2025 penalty amounts you face, real named enforcement actions with settlement figures, and actionable prevention strategies your team can implement today.
The 5 Most Common HIPAA Violations by OCR Complaint Category
OCR publishes annual data on the types of complaints it investigates and resolves. The five categories that generate the most enforcement activity are consistent year over year:
- Impermissible uses and disclosures of PHI — sharing patient data without authorization or beyond the minimum necessary standard
- Lack of adequate safeguards for PHI — failure to implement administrative, physical, or technical controls
- Failure to conduct a security risk assessment — the single most cited deficiency in OCR-initiated compliance reviews
- Failure to provide patients access to their records — a specific OCR enforcement initiative has targeted this aggressively since 2019
- Missing or expired Business Associate Agreements — required whenever a vendor handles PHI on your behalf
These five categories account for the vast majority of OCR complaint investigations. Each maps directly to specific HIPAA rules and carries real financial consequences.
HIPAA Violation Penalty Tiers: 2025 Fine Schedule
OCR enforces HIPAA through a four-tier civil penalty structure. Penalty amounts are adjusted annually for inflation. The 2025 figures, effective under 45 CFR Part 160, are:
| Tier | Culpability Level | Per-Violation Range | Annual Cap (same violation) |
|---|---|---|---|
| Tier 1 | Lack of Knowledge — the organization did not know and could not have known of the violation | $100 – $50,000 | $25,000 |
| Tier 2 | Reasonable Cause — the organization knew or should have known but did not act with willful neglect | $1,000 – $50,000 | $100,000 |
| Tier 3 | Willful Neglect, Corrected — the violation resulted from willful neglect and was corrected within 30 days | $10,000 – $50,000 | $250,000 |
| Tier 4 | Willful Neglect, Not Corrected — willful neglect, not corrected within 30 days | $50,000 (minimum) | $1,900,000 |
Criminal penalties apply separately under 42 U.S.C. § 1320d-6 for intentional violations. Fines reach $250,000 and imprisonment up to 10 years for violations committed with intent to sell, transfer, or use PHI for personal gain or malicious harm.
Beyond civil money penalties, OCR frequently imposes corrective action plans (CAPs) — multi-year oversight agreements that require documented compliance improvements, regular reporting to OCR, and independent monitoring. CAPs can cost organizations far more than the initial fine when staff time and consulting fees are factored in.
The 15 Most Common HIPAA Violations (With Real Enforcement Examples)
1. Missing or Inadequate Security Risk Assessment
The single most cited HIPAA violation in OCR enforcement actions is the failure to perform a complete, organization-wide security risk assessment. Required under 45 CFR 164.308(a)(1), a risk assessment must identify all systems that create, receive, maintain, or transmit electronic PHI (ePHI), evaluate threats and vulnerabilities, and determine the likelihood and potential impact of each risk.
Real enforcement case: In 2023, Banner Health paid a $1.25 million settlement after OCR found the organization failed to conduct an enterprise-wide risk analysis, among other Security Rule failures. The case stemmed from a breach affecting 2.81 million individuals.
Prevention: Conduct a documented risk assessment at least annually and whenever significant operational changes occur — new EHR systems, mergers, new locations, or security incidents. The free HHS Security Risk Assessment Tool (SRA Tool) is a recognized starting point.
2. Missing Business Associate Agreements
Covered entities must execute written Business Associate Agreements (BAAs) with every vendor, contractor, or partner that accesses, uses, or discloses PHI on their behalf — required under 45 CFR 164.308(b)(1) and 164.314(a). Missing, unsigned, or expired BAAs are among the most frequently cited violations in OCR settlements.
Real enforcement case: Roper St. Francis Healthcare paid $1.625 million in 2023 after a ransomware attack revealed the organization lacked BAAs with multiple vendors that had access to PHI.
Prevention: Maintain a vendor inventory that tracks every third party with PHI access. Audit BAA status annually and set renewal reminders before agreements expire.
3. Insufficient Access Controls
Failing to implement proper access controls on systems containing ePHI is a technical safeguard violation under 45 CFR 164.312(a)(1). Common failures include shared login credentials, absence of role-based access controls, failure to terminate access for former employees, and lack of multi-factor authentication (MFA).
Real enforcement case: Yakima Valley Memorial Hospital paid $240,000 in 2023 after 23 employees used their system access to inappropriately view the records of a fellow employee who was a patient. OCR found inadequate access controls were the root cause.
Prevention: Implement role-based access so staff can only view PHI necessary for their job duties. Enforce MFA on all systems containing ePHI. Audit access logs regularly and terminate credentials same-day when employees leave.
4. Lack of Encryption on Portable Devices
Lost or stolen laptops, smartphones, USB drives, and tablets account for a large share of reported breaches. When these devices contain unencrypted ePHI, every loss is a reportable breach under 45 CFR 164.312(a)(2)(iv). Encryption is an addressable — not optional — implementation specification that OCR expects covered entities to either implement or document a specific reason for not implementing.
Real enforcement case: Advocate Medical Group paid a $5.55 million settlement after multiple laptop thefts exposed the PHI of over 4 million patients. The root cause was failure to implement device encryption.
Prevention: Encrypt all portable devices and removable media using FIPS 140-2 validated encryption. Implement mobile device management (MDM) with remote wipe capability for all devices that access ePHI.
5. Impermissible Disclosure of PHI
Sharing patient information without proper authorization, disclosing more than the minimum necessary, or failing to verify recipient identity before disclosing PHI are Privacy Rule violations under 45 CFR 164.502. Common scenarios include faxes sent to wrong numbers, unencrypted emails containing PHI, and conversations in public areas.
Real enforcement case: Memorial Hermann Health System paid $2.4 million after a senior vice president’s name appeared in a press release alongside a patient’s name and immigration status, constituting an impermissible disclosure.
Prevention: Train staff on the minimum necessary standard before every disclosure. Implement secure messaging platforms for PHI communication and verify fax numbers before sending.
6. Failure to Provide Patient Access to Records
Under 45 CFR 164.524, patients have the right to access their medical records within 30 days of a request (extendable by 30 days with written notice). Charging excessive fees, creating unnecessary bureaucratic barriers, or outright denying access are violations OCR has pursued aggressively through its Right of Access Initiative since 2019.
Real enforcement case: Cignet Health of Prince George’s County was fined $4.3 million — one of the largest penalties in HIPAA history — primarily for refusing to provide 41 patients with access to their medical records.
Prevention: Establish a documented patient access request process. Train front desk staff on response timelines. Ensure fees are limited to the reasonable cost of producing the records, as defined under OCR guidance.
7. Inadequate Workforce Training
HIPAA requires training for all workforce members on policies and procedures relevant to their functions, under 45 CFR 164.530(b)(1) (Privacy Rule) and 164.308(a)(5) (Security Rule). Organizations that provide only initial onboarding training, skip annual refreshers, or fail to document completion records are frequently cited during OCR audits.
Real enforcement case: Premera Blue Cross paid a $6.85 million settlement after a phishing attack exposed the PHI of over 10 million individuals. OCR found the organization failed to implement adequate security awareness and training programs.
Prevention: Implement annual role-based training with documented completion records. Run phishing simulations quarterly. Update training content whenever policies change materially.
8. Improper PHI Disposal
Disposing of paper records in regular trash bins or failing to properly sanitize digital devices before disposal violates 45 CFR 164.310(d)(2)(i) (Device and Media Controls) and 164.530(c) (Safeguards). Even a single improperly discarded document containing a patient name and diagnosis is a reportable violation.
Real enforcement case: Filefax, Inc. — a medical records storage company — was fined $100,000 after OCR discovered PHI from over 2,150 individuals had been left in an unlocked vehicle and later transported to a paper recycling facility without proper destruction.
Prevention: Use locked shred bins for all paper PHI. Engage NAID AAA-certified shredding vendors with BAAs. For digital devices, require certificates of destruction from HIPAA-compliant data destruction vendors.
9. Unauthorized Access by Employees (Snooping)
Employees accessing patient records without a legitimate work-related reason is one of the most persistent HIPAA violations — and one of the hardest to prevent through technical controls alone. This includes looking up celebrity records, accessing records of friends or family members, or viewing records out of personal curiosity.
Real enforcement case: Montefiore Medical Center paid $4.75 million after an employee sold the PHI of 12,517 patients to an identity theft ring. OCR found the hospital failed to implement appropriate audit controls to detect unauthorized access.
Prevention: Configure EHR audit logging to flag unusual access patterns. Conduct regular access log reviews. Enforce a zero-tolerance snooping policy with documented consequences up to and including termination.
10. Texting PHI on Personal Devices
Standard SMS and consumer messaging apps (iMessage, WhatsApp, standard texting) are not HIPAA-compliant channels for PHI. When staff text patient information — diagnoses, appointment details, test results — via personal phones, they create an unsecured transmission that violates 45 CFR 164.312(e)(1).
Prevention: Deploy a HIPAA-compliant secure messaging platform (examples include TigerConnect, Imprivata Cortext, or similar). Establish a clear written policy prohibiting PHI transmission via standard SMS. Include this in new-hire training and annual refreshers.
11. Posting Patient Information on Social Media
Employees posting about patients on social media — even without using a name, if the patient could be identified from context — is a serious Privacy Rule violation. Photos taken in clinical settings that capture patient-identifiable information in the background are equally problematic.
Real enforcement case: Denta Quest paid $70,000 after a workforce member impermissibly disclosed a patient’s PHI on a public social media site following a patient complaint.
Prevention: Establish a clear social media policy for healthcare staff that explicitly prohibits discussing patients online. Include specific examples of what constitutes a violation. Apply the policy to personal accounts, not just work accounts.
12. Lost or Stolen Unencrypted Devices
This violation overlaps with the encryption issue above but warrants separate emphasis because it is so consistently common. The loss of a single unencrypted laptop triggers mandatory breach notification, OCR investigation, and potential penalties — all of which are entirely preventable with full-disk encryption.
Real enforcement case: Concentra Health Services paid $1.725 million after a single unencrypted laptop was stolen from one of its facilities. OCR found that despite prior knowledge of encryption risks, the organization had not implemented encryption across its devices.
Prevention: Require full-disk encryption (BitLocker, FileVault, or equivalent) on every device that can access ePHI. Document this requirement in your Security Rule policies. Verify encryption status via MDM tools.
13. Missing Audit Controls on EHR Systems
The HIPAA Security Rule requires covered entities to implement hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI, under 45 CFR 164.312(b). Many organizations enable logging but never actually review the logs — which OCR considers equivalent to having no audit controls at all.
Prevention: Configure your EHR to log all access events, including failed login attempts, record views, edits, and exports. Assign responsibility for log review to a specific role. Investigate anomalies — off-hours access, bulk record views, or access to recently discharged patients — on a regular schedule.
14. PHI Discussed in Public Areas
Conversations about patients at the nursing station, in elevators, in waiting rooms, or in any area where unauthorized individuals may overhear are Privacy Rule violations under 45 CFR 164.530(c). This is particularly common in open-layout medical offices and dental practices with shared waiting areas.
Prevention: Establish physical privacy safeguards — frosted glass at check-in counters, privacy screens on monitors facing waiting areas, and designated private areas for clinical conversations. Train staff to default to private spaces for any discussion involving patient identifiers.
15. Website Tracking Pixels Transmitting PHI (2023–2025 Trend)
OCR issued guidance in December 2022 clarifying that tracking technologies (Meta Pixel, Google Analytics, similar) on healthcare websites and patient portals can transmit PHI to third parties without authorization — a violation of the Privacy and Security Rules. This has been an active enforcement area since 2023.
Real enforcement case: Multiple health systems including Advocate Aurora Health (13 million patients) and Novant Health faced OCR investigations and class action lawsuits after tracking pixels on their MyChart patient portals transmitted PHI to Meta and Google without valid authorization.
Prevention: Audit all tracking technologies on your website and patient portal. Remove or block any pixel or script that fires on pages accessible after login or that could transmit IP addresses alongside health-related content. If tracking tools are necessary, ensure third-party BAAs are in place and that tracking is limited to non-PHI pages.
Industry-Specific Violation Patterns
Dental Office Violations
Dental practices face a distinct set of common violations driven by their size, software ecosystem, and patient interaction model:
- Missing BAAs with dental software vendors. Dentrix, Eaglesoft, Weave, Demandforce, and similar platforms all require signed BAAs. Many small dental practices have never executed these agreements.
- No security risk assessment on record. OCR’s audit protocol specifically targets this for small practices. A dental office with 10 employees and no documented SRA is a straightforward enforcement target.
- Radiograph and patient photo handling. Digital X-rays and intraoral photos are PHI. Sharing them via unencrypted email or consumer file-sharing services is a common violation.
- Front desk conversations. Confirming appointments or discussing treatment in crowded waiting rooms is among the most cited dental practice violations in OCR complaints.
For a complete compliance framework, see our guide to HIPAA compliance for dental practices.
Hospital and Health System Violations
Larger organizations face scale-driven violations that smaller practices rarely encounter:
- Enterprise-wide risk assessment gaps. Hospitals with multiple facilities often conduct risk assessments at the facility level without an enterprise-wide view — the gap OCR exploited in the Banner Health case.
- Employee snooping at scale. With thousands of workforce members and millions of patient records, unauthorized access by curious employees is statistically near-certain without strong audit controls and enforcement culture.
- Subcontractor chain failures. Large health systems use dozens of IT vendors, billing companies, and cloud providers — each of which requires a BAA and each of which introduces risk.
- EHR migration errors. System migrations are high-risk events. Data transferred to new platforms without proper access controls or encryption has triggered several major settlements.
Health Tech and Digital Health Violations
Digital health startups and health tech companies face a unique enforcement landscape:
- Incorrect covered entity determination. Many digital health companies do not realize they qualify as business associates — or in some cases, covered entities — until after a breach occurs.
- Third-party SDK and API risks. Integrating analytics SDKs, ad networks, or AI APIs into apps that handle PHI without vetting for HIPAA compliance is a growing violation category.
- Cloud misconfiguration. S3 buckets, Azure Blob Storage, and similar cloud resources containing ePHI left publicly accessible are reported regularly to OCR.
- No formal compliance program at all. Early-stage companies often defer compliance infrastructure until funding is secured — by which point violations may already have occurred.
HIPAA Violation Prevention Checklist
Use this checklist to assess your organization’s current compliance posture. Each item maps directly to one or more of the 15 violations above:
| Prevention Requirement | Rule Reference | Frequency |
|---|---|---|
| Documented security risk assessment completed | 45 CFR 164.308(a)(1) | Annual + triggered |
| BAA executed with all vendors who access PHI | 45 CFR 164.308(b)(1) | Before access granted; audit annually |
| Role-based access controls implemented and audited | 45 CFR 164.312(a)(1) | Quarterly access reviews |
| All portable devices and media encrypted | 45 CFR 164.312(a)(2)(iv) | Verified via MDM; ongoing |
| Workforce training completed and documented | 45 CFR 164.308(a)(5) | At hire + annual refresher |
| Patient access request process documented | 45 CFR 164.524 | Policy review annual |
| PHI disposal procedures in place (paper + digital) | 45 CFR 164.310(d)(2)(i) | Ongoing; vendor audit annual |
| EHR audit logs reviewed regularly | 45 CFR 164.312(b) | Monthly minimum |
| Secure messaging platform deployed for PHI | 45 CFR 164.312(e)(1) | Ongoing |
| Social media policy distributed and signed | 45 CFR 164.530(b) | At hire + annual |
| Website tracking technologies audited for PHI leakage | 45 CFR 164.502 / 164.306 | Annual + after any tech changes |
| Incident response plan tested via tabletop exercise | 45 CFR 164.308(a)(6) | Annual |
| Privacy and Security Officers designated in writing | 45 CFR 164.530(a) / 164.308(a)(2) | Ongoing; update when personnel change |
What to Do If Your Organization Has a Violation
Discovering a HIPAA violation does not automatically mean a large fine. How your organization responds matters significantly to OCR’s enforcement decisions.
- Contain the exposure immediately. Revoke unauthorized access, secure the affected systems, and preserve logs.
- Document the incident in detail. Record what happened, when it was discovered, who was affected, and what data was involved.
- Conduct a breach risk assessment. Apply the four-factor test under 45 CFR 164.402 to determine whether the incident meets the HIPAA definition of a breach requiring notification.
- Notify as required. If the incident qualifies as a breach, follow your breach notification obligations — individual notification within 60 days, HHS notification, and media notification if over 500 individuals in a state are affected.
- Remediate and document the fix. OCR gives significant credit for organizations that self-report, cooperate fully, and demonstrate concrete corrective action. Documented remediation can reduce penalties substantially or result in a resolution without a financial penalty.
OCR’s enforcement discretion policy explicitly allows for reduced or waived penalties when organizations demonstrate good faith, self-disclose violations, and take documented corrective action before OCR initiates an investigation.
Frequently Asked Questions
What is the most common HIPAA violation?
According to OCR enforcement data, failure to conduct a complete, documented security risk assessment is the most frequently cited violation in OCR enforcement actions. This foundational requirement under 45 CFR 164.308(a)(1) underpins the entire HIPAA Security Rule, and its absence often correlates with multiple other compliance failures across an organization.
What are the fines for HIPAA violations in 2025?
HIPAA civil penalties are tiered based on culpability. Tier 1 (lack of knowledge) ranges from $100 to $50,000 per violation. Tier 4 (willful neglect, uncorrected) starts at $50,000 per violation with an annual cap of $1.9 million for repeat violations of the same type. Criminal penalties for intentional violations include fines up to $250,000 and imprisonment up to 10 years.
Can employees go to jail for HIPAA violations?
Yes. Intentional HIPAA violations — particularly unauthorized accessing or selling of PHI for personal gain — can result in criminal prosecution under 42 U.S.C. § 1320d-6. Sentences range from 1 year in prison for simple knowing violations up to 10 years for violations committed with intent to sell, use, or cause harm with PHI.
Are HIPAA violations public?
Breaches affecting 500 or more individuals are publicly listed on the HHS OCR Breach Portal, commonly called the “Wall of Shame.” OCR also publicly announces major enforcement settlements via press releases on hhs.gov. Smaller violations investigated and resolved through voluntary compliance are generally not publicized.
What is the single most effective way to prevent HIPAA violations?
Conducting a thorough, documented security risk assessment annually — and acting on its findings through a written risk management plan — is the single most effective HIPAA violation prevention measure. The majority of OCR enforcement actions could have been avoided had the organization identified and addressed vulnerabilities through a proper risk assessment process. Organizations that complete and act on their SRA are rarely the ones OCR targets for systemic enforcement.
Avoiding HIPAA Violations: Final Thoughts
HIPAA violations are preventable. The organizations that avoid costly enforcement actions share common traits: they conduct thorough risk assessments, invest in employee training, implement strong technical protections, maintain complete vendor agreements, and build cultures where compliance is a shared responsibility.
Understanding the 15 most common violations and their real-world consequences empowers your organization to address vulnerabilities before they result in breaches, penalties, or loss of patient trust. The enforcement data is clear — proactive compliance is always less expensive than reactive remediation.
One Guy Consulting provides end-to-end HIPAA compliance support, from security risk assessments and policy development to workforce training programs and incident response planning. Contact us to strengthen your organization’s compliance posture and protect the patients who trust you with their most sensitive information.