What Is a HIPAA Violation? Examples, Breaches & How to Stay Compliant

Did you know that in 2024, Montefiore Medical Center paid a staggering $4.75 million settlement for a single HIPAA violation? The hefty fine is a result of the firm’s failure to conduct risk analyses, lack of adequate security measures, and delayed breach notification.

According to the Federal Register, HIPAA violations now carry penalties reaching $2,134,831 per incident.  Now you might think your small practice is safe from scrutiny, but Office for Civil Rights (OCR) investigations don’t discriminate by organization size. From solo practitioners to established healthcare centers, everyone faces the same strict enforcement standards. But what constitutes a HIPAA violation, and how do you recognize common breach patterns? Read on to find more about these violations to protect your practice and the privacy of your patients!

What is Considered a HIPAA Violation?

Covered Entity Healthcare providers, health plans, and healthcare clearinghouses that electronically transmit health information and are required to comply with HIPAA regulations.Business Associate Any third-party vendor or contractor that handles PHI on behalf of a covered entity (e.g., billing companies, IT providers, cloud storage services).PHI vs ePHIPHI (Protected Health Information): Any health information in any form (paper, electronic, oral) that can identify a patient. ePHI (Electronic PHI): PHI stored or transmitted electronically.

HIPAA (Health Insurance Portability and Accountability Act) is a federal law that sets national standards for protecting sensitive patient health information. Enacted in 1996, the law governs the use and disclosure of PHI (Protected Health Information) by covered entities, including healthcare providers, health plans, and healthcare clearinghouses. The rules are defined as:

• Security Rule: Your organization must have physical, technical, and administrative measures to protect health information.
• Privacy Rule: You cannot share the patient’s personal health information without their consent or knowledge.
• Breach Notification Rule: The Organization must notify affected individuals within 60 days of a data breach.
• Right of Access Rule (45 CFR §164.524): Patients have the right to access their medical records within 30 days of request. In 2025, Oregon Health & Science University (OHSU) faced enforcement 2025 for systematically delaying patient record access.

Read More: What are the 5 core components of the HIPAA Privacy Rule?

What are the Examples of HIPAA violations?

Healthcare enterprises are under constant pressure to safeguard their patient data, as the system becomes more digital. Most violations take place because employees working in the organization aren’t aware of the rules and what breaks them. Here we will walk you through some common HIPAA violations examples:

Violation Type	What Happened / Real Case (Year)	What to Do Instead (Actionable Control)
Unauthorized Access to Patient Records	Employees accessed patient data without a legitimate reason. UCLA Health System paid $865,500 (2011) after staff snooped on celebrity medical records, including Farrah Fawcett and Britney Spears.	Enforce role-based access controls (RBAC), conduct regular access audits, and use user activity monitoring to detect unauthorized access.
Improper PHI Disposal and Data Destruction	Patient files and hard drives were discarded without proper destruction. Affinity Health Plan paid $1.2 million (2013) after returning leased copiers with PHI on hard drives.	Apply secure disposal procedures, shred paper records, wipe or destroy drives, and document destruction under a formal retention policy.
Lost or Stolen Devices Containing Unencrypted PHI	Devices with patient data were lost or stolen. Massachusetts General Hospital was fined $1 million (2011) after paper records containing PHI were lost on public transit.	Encrypt all devices storing PHI, use mobile device management (MDM) tools, and require password protection with remote wipe capabilities.
Inadequate Access Controls	Terminated or temporary employees retained system access, risking unauthorized PHI exposure.	Automate account deprovisioning, conduct quarterly access reviews, and maintain comprehensive audit logs of all user activity.
Verbal Disclosure of Patient Information	Staff discussed patient details in public areas or online. Several hospitals have received OCR warnings for hallway and cafeteria conversations violating privacy.	Hold annual privacy training, post “Do Not Discuss PHI in Public Areas” reminders, and adopt private consultation spaces for patient discussions.
Business Associate Agreement (BAA) Violations	Vendors handled PHI without proper BAAs. North Memorial Health Care paid $1.55 million (2016) for failing to execute a BAA with a major contractor.	Ensure all third-party vendors sign compliant BAAs, perform vendor risk assessments, and audit PHI handling by associates annually.
Delayed or Inadequate Breach Notification	Covered entities failed to notify patients or OCR within 60 days, or underreported the breach size. Anthem Inc. paid $16 million (2018) after delaying breach reporting that exposed data of 79 million people.	Follow the HIPAA Breach Notification Rule: report breaches to OCR and affected patients within 60 days, include full scope and corrective actions, and maintain incident logs for transparency.

How to Report a HIPAA Violation?

If you believe your private health information is being mishandled or has been exposed, you can file a HIPAA complaint and hold the party accountable. However, to be accepted and investigated by the Office for Civil Rights (OCR), you need to follow the steps below to report a HIPAA violation:

1. Confirm That a Violation Occurred

Start by determining whether the incident qualifies as a HIPAA violation.
You can report:

• Unauthorized access or disclosure of your PHI (for example, records emailed to the wrong person)
• Lack of safeguards such as encryption or access controls
• Denial of your right to access your medical records

Only incidents involving protected health information fall under HIPAA’s scope.

2. Know Where to Report

Internal Reporting (First Step)

If the incident occurred within your organization, contact your Privacy or Compliance Officer immediately. Most healthcare entities have internal processes for investigating and resolving HIPAA-related issues promptly.

Report Directly to OCR
You can file a complaint directly through the OCR Complaint Portal. Alternatively, you can submit a written complaint by mail or email to the OCR office listed on the HHS website.

3. Include All Required Details

Your complaint should include:

• Date or dates of the violation
• Name of the covered entity or business associate involved
• The specific rule you believe was violated (Privacy, Security, or Right of Access)
• Supporting evidence such as emails, screenshots, or witness statements

Checklist:

• Violation date(s)
• Entity or individual responsible
• Suspected rule violated
• Supporting documentation

4. Submit Within the 180-Day Window

You must file your complaint within 180 days of when you became aware of the incident. OCR may accept late complaints if you can show good cause for the delay, such as hospitalization or lack of access to information.

5. Cooperate with the Investigation

If OCR determines your complaint meets the necessary criteria, it will open a formal investigation. The OCR will contact both you and the entity involved, request documentation, and evaluate compliance measures. Be prepared to provide additional information if requested.

What Not to Do

• Do not post details of the incident on social media.
• Do not delete any related emails, messages, or logs, and preserve all evidence.
• Do not bypass your internal compliance process if your organization has a Privacy Officer; internal reporting may resolve the issue more quickly.

What Happens After a HIPAA Violation is Reported?

Once you report the incident, OCR will investigate the HIPAA complaints. The investigation can result in a few possible outcomes, based on the validity of the violation and the response of the covered entity. Here’s what you can expect after filing a HIPAA violation complaint,

Review and Investigation

Once the OCR receives your complaint, it will review the details and may conduct an investigation. The process includes interviews, document reviews, and discussions with the party accused of the HIPAA violation.

Dismissal of the Complaint

Your complaint may be closed without any investigation if it falls outside the 180-day filing window (without any probable good cause). The complaint also will not be considered in case it does not involve any covered entity or business associate. For instance, if you complain against employers or schools, it will be dismissed as it falls outside the scope of HIPAA’s covered entities.

Informal Resolution (Voluntary Compliance or Corrective Action Plan)

If OCR finds a violation, but it is unintentional or due to lack of awareness, the entity is often offered an informal resolution through voluntary compliance or a Corrective Action Plan (CAP) instead of immediate penalties.

A CAP typically requires the organization to:

• Conduct a formal risk analysis of their PHI handling and security systems
• Update or create privacy and security policies and procedures
• Provide workforce training on HIPAA compliance and patient rights
• Submit progress reports or audits to OCR for monitoring and follow-up

These measures are designed to bring the organization into full compliance and prevent future violations. Most healthcare entities choose to cooperate quickly to avoid monetary fines.

Criminal Referral or Civil Money Penalties

If the covered entity refuses to comply, has a pattern of violations, or the breach involves willful neglect or criminal intent, OCR escalates enforcement:

• Civil Money Penalties (CMPs): Imposed for repeated or serious noncompliance.
• Criminal Referral: Referred to the U.S. Department of Justice (DOJ) for prosecution when intent to misuse PHI is evident.

Example:
On March 6, 2025, Oregon Health & Science University (OHSU) was fined $200,000 for failing to provide a patient’s personal representative with timely access to medical records. The delay exceeded HIPAA’s 30-day access rule, making it a Right of Access violation, a common but often overlooked compliance gap in small and understaffed clinics.

What are the Consequences of HIPAA Violations?

The consequences of HIPAA violations extend far beyond financial penalties. You face multiple types of repercussions that can affect your practice and professional reputation. Here’s a brief overview of the consequences of violating HIPAA regulations,

Civil Penalties

OCR has settled or imposed civil money penalties in 152 cases, resulting in total fines of $144,878,972. These penalties reflect the government’s serious commitment to enforcing HIPAA compliance across the healthcare industry. The penalty tiers are adjusted annually for inflation. Here’s the current framework:

Violation Category	Per Violation (Minimum)	Per Violation (Maximum)	Annual Cap
Tier 1: Unknowing violation – the entity was unaware and could not have realistically avoided the violation	$137	$68,928	$2,067,813
Tier 2: Reasonable cause – violation due to circumstances beyond reasonable control	$1,379	$68,928	$2,067,813
Tier 3: Willful neglect (corrected within 30 days)	$13,785	$68,928	$2,067,813
Tier 4: Willful neglect (not corrected)	$68,928	$2,067,813	$2,067,813

Your organization may also face legal fees, consultant costs, and system remediation expenses that can exceed the actual penalties. For instance, the Sentara Hospitals has made a $2.175 Million Settlement, affecting 577 patients.

Professional Licensing Issues

You could face license suspension, revocation, or other disciplinary actions if your state licensing board investigates your HIPAA violation. For instance, the Texas Medical Board cited HIPAA violations for a physician’s license probation in 2024. Moreover, your professional liability insurance usually does not cover intentional HIPAA violations. It means you are responsible for dealing with damages and legal costs. 

Reputational Damage

Patient trust is important for healthcare relationships. HIPAA violations can permanently damage your reputation, leading to HIPAA violations can permanently damage your reputation, leading to:

• Loss of patient trust and exodus to competing providers
• Difficulty recruiting qualified staff who want to work for compliant organizations
• Challenges in obtaining professional insurance coverage at reasonable rates
• Negative media coverage that persists in online search results
• Loss of referral relationships with other healthcare providers

 Recovery from reputational damage often takes much longer than financial recovery from penalties. 

Operational Disruptions

Breach investigations can consume a large part of your staff’s time and resources. Your normal operations may be disrupted for weeks or months while:

• Responding to OCR investigations and information requests
• Implementing mandatory corrective action plans
• Upgrading security measures and policies
• Retraining the entire staff on compliance procedures
• Conducting risk assessments and vulnerability testing

For example, OHSU’s March 2025 incident led to extensive workflow redesigns and permanent operational changes. 

Can One Go To Jail For Violating HIPAA?

In most cases, HIPAA violations lead to civil penalties, not prison time. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) handles these through fines and corrective action plans. For 2024, civil penalties range from $141 to $2,134,831 per violation, depending on the severity, intent, and corrective action taken.

However, when someone knowingly or intentionally obtains, discloses, or uses Protected Health Information (PHI) without authorization, the matter can escalate to criminal prosecution under 42 U.S.C. §1320d-6. These cases fall under the jurisdiction of the U.S. Department of Justice (DOJ).

HIPAA Criminal Penalty Tiers (42 U.S.C. §1320d-6)

Tier	Violation Type	Maximum Fine	Maximum Prison Time
Tier 1	Knowingly obtaining or disclosing PHI without authorization	$50,000	1 year
Tier 2	Obtaining PHI under false pretenses	$100,000	5 years
Tier 3	Obtaining or using PHI for personal gain, commercial advantage, or malicious harm	$250,000	10 years

Let’s take a brief look at such HIPAA violation examples:

The Des Moines Identity Theft Conspiracy

A Des Moines man was sentenced to 27 months in prison in 2022 for wrongfully obtaining and disclosing individually identifiable health information. He used his access to medical records to obtain Social Security numbers, addresses, and other personal information, to file fraudulent tax returns, and open credit accounts.

Texas Hospital Worker Case

A former Texas hospital worker received 18 months in federal prison for criminal HIPAA violations. The worker accessed patient records without authorization and shared the information with outside parties for personal benefit. 

Annie Vuong Dental Practice Case

Annie Vuong, a former dental practice receptionist, was sentenced to 2-6 years in state prison for stealing PHI from 653 patients and passing it to accomplices for identity theft. Vuong was photographing patient records and sharing them through encrypted messaging apps for fraudulent insurance claims and tax returns. The hospital’s access monitoring systems failed to detect unusual patterns of record access when the same employee repeatedly viewed records unrelated to her job duties.

How to Stay HIPAA Compliant?

HIPAA compliance is the top priority for any healthcare organization or covered entity. You need to follow proactive strategies that address both current requirements and evolving regulatory expectations. Here are some strategies to prevent HIPAA violations: 

1. Conduct Regular Risk Assessments

Control Families: Policies, Audit/Logging
Key Actions:

• Perform annual enterprise-wide risk assessments and quarterly access reviews.
• Identify, document, and track remediation of security gaps.
• Maintain audit logs for all system access and configuration changes.

Goal: Detect vulnerabilities early and maintain continuous compliance visibility.

2. Strengthen Cybersecurity Controls

Control Families: Encryption, Access Control, Audit/Logging
Key Actions:

• Enforce multi-factor authentication (MFA) and Zero Trust Architecture for all users.
• Apply data loss prevention (DLP) tools to monitor and block PHI exfiltration.
• Use role-based access control (RBAC) to limit data exposure.
• Ensure full encryption of PHI at rest and in transit.
• Enable comprehensive audit logging and real-time monitoring of system access.

Goal: Protect electronic PHI (ePHI) from unauthorized access, loss, or theft.

3. Provide Workforce Training and Accountability

Control Families: Training, Policies
Key Actions:

• Deliver HIPAA training at onboarding and annual refresher courses for all staff.
• Maintain a sanction policy to address non-compliance or negligent behavior.
• Conduct background checks before granting system access.

Goal: Ensure every employee understands PHI handling, privacy expectations, and reporting procedures.

4. Enforce the “Minimum Necessary” Rule

Control Families: Access Control, Policies, Audit/Logging
Key Actions:

• Implement role-based EHR views to limit data visibility by job function.
• Require break-glass logging when emergency access is used.
• Conduct quarterly access reviews to ensure data access remains appropriate.

Goal: Reduce unnecessary PHI exposure and maintain strict data minimization practices.

5. Manage Business Associates and Vendor Risks

Control Families: Vendor Risk/BAAs, Policies
Key Actions:

• Execute and review Business Associate Agreements (BAAs) annually.
• Conduct vendor security due diligence before engagement.
• Define breach notification SLAs and data protection requirements in contracts.

Goal: Ensure third parties meet the same HIPAA security and privacy standards.

6. Maintain an Incident Response Plan

Control Families: Incident Response, Policies, Audit/Logging
Key Actions:

• Develop and regularly test an incident response plan.
• Include clear steps for detection, containment, notification, and recovery.
• Adhere to the 60-day breach notification rule for affected individuals and HHS.

Goal: Contain security incidents quickly and meet legal reporting timelines.

7. Implement Robust Backup and Recovery Systems

Control Families: Policies, Audit/Logging, Encryption
Key Actions:

• Schedule daily encrypted backups of critical systems and PHI.
• Perform quarterly recovery testing to verify restoration capability.
• Log all backup and recovery activities for audit readiness.

Goal: Guarantee data integrity, continuity, and disaster recovery compliance.

Read More: Why Is HIPAA Important for Healthcare Workers?

Stay HIPAA Compliant: Protect your Patients and Practice!

Medical records of more than 100 million individuals have been compromised in the last two decades due to unauthorized access or breach notification failures. The consequences of HIPAA violations go beyond financial penalties; you have to deal with reputational damage and even criminal charges. Whatever the size of your organisation, focus on staff training, safety measures, incident response, and ongoing monitoring to maintain your HIPAA compliance. 

Want to learn more about HIPAA compliance? Sign up for our online HIPAA certification course to learn the latest compliance requirements and earn an industry-recognized certification at your convenience.