Most Common HIPAA Violations

Updated March 2026 · 10 violations with real OCR enforcement examples

HIPAA Violations at a Glance

21

OCR enforcement actions in 2025 — the second highest annual total ever

$2.19M

Maximum annual civil penalty per violation category (2026)

725+

Breach reports received by HHS in 2024 affecting 500+ individuals

OCR’s enforcement record tells a clear story: the same handful of mistakes account for the vast majority of HIPAA penalties. Between 2003 and 2025, OCR resolved over 36,000 complaints and completed more than 1,100 compliance reviews — and the violations keep repeating. Understanding what went wrong in real cases is the fastest way to protect your practice.

This guide covers the 10 most common HIPAA violations with real enforcement examples, actual penalty amounts, and specific steps to prevent each one. Whether you’re a covered entity or business associate, these are the pitfalls OCR flags most often.

#1

Snooping in Patient Records

What Goes Wrong

Workforce members access medical records without a legitimate treatment, payment, or operations reason. This includes looking up family members, neighbors, coworkers, or celebrities.

Real Enforcement Example

A hospital employee at UCLA Health System accessed records of celebrity patients over multiple years. The employee was terminated and criminally prosecuted under 42 USC 1320d-6.

Penalty

$50,000 fine + up to 1 year imprisonment (criminal); up to $2.19M civil penalty per year

How to Prevent It

  • Implement audit logs that flag access to records outside assigned patients
  • Use role-based access controls aligned with the minimum necessary rule
  • Include clear sanctions policy in training — immediate termination is standard
  • Conduct random access audits quarterly using your EHR's audit trail
#2

Improper Disposal of PHI

What Goes Wrong

Paper records placed in regular trash, hard drives donated or sold without wiping, old laptops recycled without destroying the data. PHI must be rendered unreadable and indecipherable before disposal.

Real Enforcement Example

Filefax Inc. — a records storage company — was fined $100,000 after leaving medical records in an unlocked vehicle accessible to unauthorized persons. The records were later found dumped at a public location.

Penalty

$100,000+ in settlements; corrective action plans lasting 2-3 years

How to Prevent It

  • Cross-cut shred all paper PHI — strip-cut can be reassembled
  • Use NIST 800-88 media sanitization guidelines for electronic devices
  • Maintain a disposal log with dates, method, and responsible person
  • Include PHI disposal procedures in your notice of privacy practices
#3

Lost or Stolen Devices Containing PHI

What Goes Wrong

Unencrypted laptops, phones, USB drives, or portable hard drives containing ePHI are lost or stolen. Without encryption, this is a reportable breach regardless of whether data is actually accessed.

Real Enforcement Example

Lifespan Health System (Rhode Island) paid $1,040,000 to settle a case where an unencrypted laptop was stolen from an employee's car. The laptop contained PHI of 20,431 patients.

Penalty

$1,040,000 settlement + 2-year corrective action plan

How to Prevent It

  • Encrypt all devices that store or access ePHI — AES-256 minimum
  • Enable remote wipe capability on all mobile devices
  • Prohibit storing PHI on personal devices without MDM enrollment
  • Review encryption requirements in detail
#4

Failure to Conduct a Risk Assessment

What Goes Wrong

The HIPAA Security Rule requires covered entities and BAs to conduct a thorough, enterprise-wide security risk assessment. Many organizations either never do one, do an incomplete one, or fail to update it after significant changes.

Real Enforcement Example

Cardionet (now BioTelemetry) agreed to a $2,500,000 settlement after OCR found they had not conducted a risk assessment when required by the Security Rule. The case originated from a stolen laptop.

Penalty

$2,500,000 settlement — the single most common finding in OCR investigations

How to Prevent It

  • Conduct a formal risk assessment at least annually
  • Document every identified risk with likelihood, impact, and mitigation plan
  • Update the assessment after any significant change (new EHR, office move, merger)
  • Use a structured tool rather than an informal review
#5

Denying Patients Access to Records

What Goes Wrong

Under 45 CFR 164.524, patients have the right to access their medical records within 30 days. OCR launched a specific Right of Access enforcement initiative in 2019 and has issued more penalties for this than any other single violation type.

Real Enforcement Example

Cignet Health (Maryland) received the largest HIPAA fine ever — $4,300,000 — for denying 41 patients access to their medical records and then refusing to cooperate with OCR's investigation.

Penalty

$4,300,000 (Cignet); typical Right of Access settlements range $15,000–$240,000

How to Prevent It

  • Establish a documented process for responding to access requests within 30 days
  • Designate a specific person or team responsible for fulfilling requests
  • Never charge more than a reasonable cost-based fee for copies
  • Train front-desk staff to recognize and escalate access requests immediately
#6

Social Media PHI Disclosures

What Goes Wrong

Staff post photos, stories, or comments on social media that reveal patient information — even unintentionally. A background whiteboard, a visible chart, or a casual mention of a patient's condition all qualify.

Real Enforcement Example

An employee at a Texas nursing facility posted photos of a patient on social media. The facility was investigated by OCR and entered into a corrective action plan requiring revised social media policies and staff retraining.

Penalty

Corrective action plans + potential civil penalties; criminal charges in egregious cases

How to Prevent It

  • Implement a written social media policy that explicitly addresses PHI
  • Ban personal phone use in clinical areas where PHI is visible
  • Include real social media violation examples in annual training
  • Designate a compliance officer to review any work-related social media posts before publication
#7

Texting PHI on Unsecured Platforms

What Goes Wrong

Clinicians text patient details using standard SMS, iMessage, WhatsApp, or other consumer messaging apps that lack encryption, access controls, and audit trails. Even well-intentioned care coordination via text violates HIPAA if the platform isn't compliant.

Real Enforcement Example

Multiple OCR investigations have cited unencrypted text messaging as a contributing factor in larger breach settlements. A 2023 case involving a healthcare provider traced a PHI exposure to staff routinely sharing patient information via standard SMS.

Penalty

Varies — typically part of larger settlement; $100,000–$500,000 when combined with other findings

How to Prevent It

  • Deploy a HIPAA-compliant messaging platform with encryption and audit logging
  • Block standard SMS/MMS for patient communications on work devices
  • Obtain a BAA from any messaging vendor before transmitting PHI
  • Audit messaging platform usage quarterly for policy compliance

Compare platforms in our HIPAA-compliant messaging guide.

#8

Sign-In Sheet Violations

What Goes Wrong

Patient sign-in sheets at reception desks can violate HIPAA if they expose the reason for the visit, treating provider, or other clinical details. A basic name-and-time sign-in is generally permissible, but adding appointment type or doctor name crosses the line.

Real Enforcement Example

OCR has issued guidance clarifying that sign-in sheets requesting only patient name and arrival time are acceptable under the minimum necessary standard. However, practices that include appointment reason, insurance info, or provider name have received complaints.

Penalty

Typically resolved through voluntary compliance; repeated complaints trigger formal investigation

How to Prevent It

  • Limit sign-in fields to name, arrival time, and signature only
  • Use a format where previous patients' entries are not visible to new arrivals
  • Consider a digital check-in system that eliminates the paper trail entirely
  • Never include reason for visit, insurance, or provider name on the sheet

Learn more about limiting disclosures in our minimum necessary rule guide.

#9

Verbal PHI Disclosures

What Goes Wrong

Discussing patient information in public areas — hallways, elevators, cafeterias, waiting rooms — where it can be overheard. Also includes calling a patient's full name in the waiting room alongside their condition or procedure.

Real Enforcement Example

Multiple OCR complaints stem from staff discussions overheard in elevators and waiting rooms. While HIPAA doesn't prohibit all verbal communication, it requires reasonable safeguards to minimize incidental disclosures.

Penalty

Usually resolved through corrective action; escalates if pattern of negligence is established

How to Prevent It

  • Use first name only when calling patients from the waiting room — never pair it with condition or procedure
  • Conduct clinical discussions in private areas, not hallways or elevators
  • Install white noise machines in areas where PHI discussions may be overheard
  • Post visual reminders in common areas about verbal PHI policies
#10

Insufficient HIPAA Training

What Goes Wrong

The Privacy Rule requires training for all workforce members on HIPAA policies and procedures. Many organizations train only clinical staff, skip annual refreshers, or fail to document training completion — any of which OCR treats as a violation.

Real Enforcement Example

Children's Medical Center of Dallas paid $3,200,000 in 2017 after OCR found years of non-compliance including inadequate training. The investigation revealed staff had not been trained on updated device encryption policies.

Penalty

$3,200,000 (Children's Medical Center); training deficiencies found in >80% of enforcement actions

How to Prevent It

  • Train all workforce members — including volunteers, contractors, and janitorial staff
  • Conduct annual refresher training, plus retraining after policy changes
  • Document every session: date, attendees, topics, trainer, and completion status
  • Retain training records for a minimum of 6 years per HIPAA requirements

See full requirements in our HIPAA training requirements guide.

HIPAA Penalty Tiers (2026 Figures)

Civil monetary penalties follow a four-tier structure based on the level of culpability. Penalty amounts are adjusted for inflation annually. State attorneys general can pursue additional penalties on top of federal enforcement.

Tier 1

Did not know and would not have known by exercising reasonable diligence

Per violation: $145 – $73,011

$2,190,294

Annual cap

Tier 2

Reasonable cause but not willful neglect

Per violation: $1,461 – $73,011

$2,190,294

Annual cap

Tier 3

Willful neglect, corrected within 30 days

Per violation: $14,602 – $73,011

$2,190,294

Annual cap

Tier 4

Willful neglect, not corrected within 30 days

Per violation: $73,011 – $2,190,294

$2,190,294

Annual cap

Annual caps updated per HHS inflation adjustment (2026). Per-violation amounts adjusted for inflation annually.

Criminal Penalties

Criminal violations are prosecuted by the U.S. Department of Justice and can apply to individuals, not just organizations.

OffenseMax FineMax Prison
Knowingly obtaining or disclosing PHIUp to $50,000Up to 1 year
Committed under false pretensesUp to $100,000Up to 5 years
Intent to sell, transfer, or use for personal gainUp to $250,000Up to 10 years

Can you get fired for a HIPAA violation?

Yes. Most healthcare organizations include HIPAA violations as grounds for immediate termination in their sanctions policy. Employees who access records without authorization, share PHI on social media, or deliberately disclose patient information are routinely fired — and in criminal cases, may face prosecution and imprisonment.

Frequently Asked Questions

Common questions about HIPAA violations answered with citations to the actual regulations.

Is a sign-in sheet a HIPAA violation?

A basic sign-in sheet that collects only the patient's name and arrival time is generally permissible under HIPAA. It becomes a violation when the sheet includes the reason for the visit, treating provider, insurance information, or other clinical details that could reveal PHI to other patients who sign in later.

Can you call a patient's name in the waiting room?

Yes — calling a patient by first name (or first and last name) in the waiting room is allowed under HIPAA. What you cannot do is pair the name with a condition, procedure, or department. Saying "John Smith" is fine. Saying "John Smith, your oncology appointment is ready" is a violation because it discloses clinical information to everyone present.

Is texting patients a HIPAA violation?

Texting patient information using standard SMS, iMessage, or consumer apps like WhatsApp is a HIPAA violation because these platforms lack the encryption, access controls, and audit trails required by the Security Rule. Using a HIPAA-compliant messaging platform with end-to-end encryption and a signed BAA is the compliant alternative.

Compare compliant options

Can you get fired for a HIPAA violation?

Absolutely. Most healthcare organizations treat HIPAA violations as grounds for immediate termination, especially unauthorized access to records (snooping), sharing PHI on social media, or deliberately disclosing patient information. Beyond termination, individuals can face criminal prosecution with fines up to $250,000 and imprisonment up to 10 years.

What is the most common HIPAA violation reported to OCR?

According to HHS enforcement data, the most frequently alleged violations in complaints are: impermissible uses and disclosures of PHI, lack of safeguards for PHI, denial of patient access to records, lack of administrative safeguards (including risk assessments), and using or disclosing more than the minimum necessary information.

Review the minimum necessary rule

HIPAA Violations Cheat Sheet

#1Snooping in records
Criminal risk
#2Improper PHI disposal
High
#3Lost/stolen unencrypted devices
Critical
#4No risk assessment
Critical
#5Denying patient access
High
#6Social media PHI disclosure
High
#7Texting PHI unsecured
High
#8Sign-in sheet over-collection
Low
#9Verbal disclosures
Medium
#10Insufficient training
Critical

Don’t wait for an audit to find the gaps

Run through the HIPAA compliance checklist to evaluate your current posture, then use the risk assessment tool to document and prioritize the threats specific to your organization. Proactive documentation is the single best defense if OCR comes knocking.

Related Tools & Guides

HIPAA Compliance Checklist

Interactive checklist covering Privacy, Security, and Breach Notification Rules.

HIPAA Risk Assessment Tool

Identify and document threats to ePHI with a structured risk matrix.

HIPAA Training Requirements

Who needs training, how often, required topics, and documentation rules.

HIPAA Encryption Requirements

Encryption standards for data at rest and in transit under the Security Rule.

HIPAA Breach Notification Rules

Timelines, thresholds, and reporting requirements when a breach occurs.