HIPAA Violations Explained: Examples, Penalties, and How to Report Them

HIPAA sets national standards for safeguarding Protected Health Information (PHI) in any form—paper, verbal, or electronic. Understanding what counts as a violation, how penalties work, and when to report issues helps you protect patients and your organization. This guide walks through concrete examples, Tiered Penalties, reporting via the OCR Complaint Portal, and practical safeguards like encryption and proper disposal.

Examples of HIPAA Violations

HIPAA violations range from obvious disclosures to subtle process gaps that expose PHI. Use these examples to spot risks early and address them before they escalate.

Unauthorized access and snooping

Viewing a record without a job-related need (e.g., checking a neighbor’s chart) violates the minimum necessary standard. Shared logins or weak access controls make this more likely.

Improper disclosures and gossip

Discussing a patient’s diagnosis in a public space or posting details on social media—even without a name—can reveal PHI. Marketing uses without valid authorization are another common pitfall.

Misdirected communications

Faxing to the wrong number, emailing PHI to an incorrect address, or handing paperwork to the wrong patient are classic, preventable disclosure errors.

Insufficient safeguards

Lack of unique user IDs, no audit logs, unpatched systems, or absent risk analyses weaken safeguards required by the Security Rule and increase breach likelihood.

Lost or stolen devices without encryption

Laptops, phones, or USB drives containing unencrypted ePHI that are lost or stolen typically trigger Data Breach Notification duties and can drive significant penalties.

Ransomware and hacking incidents

Malware that encrypts or exfiltrates ePHI is usually presumed a breach unless you can show a low probability of compromise. Poor backup, MFA, and network segmentation magnify impact.

Improper disposal of PHI

Throwing patient files into regular trash, selling copier hard drives without secure wiping, or discarding labeled pill bottles can expose PHI during waste handling.

Failure to provide timely access

Delaying or denying a patient’s record request beyond required timeframes, overcharging, or refusing a third‑party directive are frequent “Right of Access” violations.

Penalties for HIPAA Violations

Enforcement focuses on both harm and accountability. Penalties scale with intent, corrective action, and the organization’s overall compliance posture.

Civil enforcement and Tiered Penalties

HHS’s Office for Civil Rights (OCR) applies Tiered Penalties that consider the level of culpability: no knowledge, reasonable cause, Willful Neglect corrected, and Willful Neglect uncorrected. Fines apply per violation with annual caps and are adjusted for inflation.

Willful Neglect

Willful Neglect—conscious, intentional failure or reckless indifference—draws the harshest civil penalties. Prompt mitigation and documented remediation can significantly reduce exposure.

Criminal Penalties

Knowingly obtaining or disclosing PHI in violation of HIPAA can lead to Criminal Penalties, including fines and imprisonment. Offenses involving false pretenses or selling PHI for gain carry steeper consequences.

Corrective Action Plans and monitoring

Many settlements include multi‑year Corrective Action Plans (policies, training, risk analyses, audits) with OCR monitoring. These obligations can be more burdensome than fines alone.

Factors that influence outcomes

OCR weighs the number of individuals affected, duration, types of PHI, actual harm, history of violations, cooperation, and organizational size and resources when setting penalties.

Reporting HIPAA Violations

Reporting enables swift containment and remediation. Approach it methodically to protect patients and preserve evidence.

If you are a patient or workforce member

Start with your organization’s privacy/compliance officer to enable rapid corrective action. If unresolved or inappropriate to report internally, file a complaint with OCR through the OCR Complaint Portal—ideally within 180 days of when you knew of the issue.

What to include in a complaint

• Who was involved, what PHI was affected, and how the incident occurred.
• When and where it happened, how it was discovered, and steps taken so far.
• Any supporting evidence (e.g., screenshots, letters, emails), redacting unrelated data.

For organizations: Data Breach Notification duties

After discovering a breach of unsecured PHI, notify affected individuals without unreasonable delay and no later than 60 days. For breaches affecting 500+ residents of a state/jurisdiction, notify prominent media and report to HHS; smaller breaches must be logged and reported annually.

Business associates’ role in reporting

Business associates must notify the covered entity of a breach without unreasonable delay, within the timeframe set in the contract (often no later than 60 days). Your Business Associate Agreements should specify required details and timing.

Understanding Business Associate Agreements

Business Associate Agreements (BAAs) define how vendors that handle PHI safeguard it and support your compliance. A strong BAA clarifies responsibilities and closes common gaps.

Who is a business associate?

Any vendor or subcontractor that creates, receives, maintains, or transmits PHI on your behalf (e.g., EHR providers, billing, transcription, cloud storage) is a business associate and must sign a BAA before accessing PHI.

Core BAA clauses to include

• Permitted uses/disclosures aligned with minimum necessary standards.
• Administrative, physical, and technical safeguards; workforce training and sanctions.
• Breach and security incident reporting requirements with timelines and content.
• Subcontractor flow‑downs, audit rights, cooperation with OCR, and termination for cause.
• Return or destruction of PHI at termination and limits on data retention.

Common pitfalls

Unsigned or outdated BAAs, vague breach language, and poor oversight of subcontractors create liability. Willful Neglect findings often stem from ignored or incomplete vendor governance.

Importance of Encryption

Encryption reduces breach risk and can provide safe harbor under the Breach Notification Rule when PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals.

Encrypt at rest and in transit

Apply strong, industry‑standard encryption to servers, databases, backups, laptops, and mobile devices. Use secure transport (e.g., TLS) for email and APIs, and encrypt attachments or portals for sensitive exchanges.

Keys, identity, and access

Centralize key management, rotate keys, and restrict access with unique IDs and MFA. Pair encryption with least‑privilege roles and continuous audit logging to detect misuse.

Operational readiness

Document encryption policies, test recovery of encrypted backups, and train staff on handling encrypted files. If a device is lost but strongly encrypted, you may avoid Data Breach Notification.

Consequences of Improper Disposal

Disposal mistakes leak PHI long after routine care ends. Treat end‑of‑life handling as a high‑risk process, not an afterthought.

Paper records

Use locked consoles and cross‑cut shredding or certified destruction services with chain‑of‑custody and certificates of destruction. Restrict and supervise access to staging areas.

Electronic media

Sanitize or destroy drives, copier hard disks, and removable media so data is non‑recoverable. Verify vendor methods, document serial numbers, and track transfers end‑to‑end.

Business impact

Improper disposal can trigger reportable breaches, expensive remediation, and loss of patient trust. Repeat issues elevate penalties and investigation intensity.

Patient Rights and Access to Records

Patients have robust rights to access and control their PHI. Meeting these requirements reduces complaints and strengthens trust.

Right of access

Provide records within 30 days of request (with one allowable 30‑day extension if necessary), in the requested format if readily producible. Honor third‑party directives to send records to a person or entity the patient designates.

Reasonable, cost‑based fees

Fees may cover labor for copying, supplies, and postage—not retrieval or verification. Publish your fee schedule and offer estimates to prevent disputes.

Other key rights

• Request amendments to PHI and receive a written denial with appeal options if you decline.
• Request restrictions on disclosures; out‑of‑pocket services must be restricted from payers on request.
• Request confidential communications (e.g., alternate address or phone number).
• Receive an accounting of certain disclosures outside treatment, payment, and operations.

Common access pitfalls

Requiring patients to pick up records in person, imposing unnecessary notarization, or delaying while awaiting provider approval can all violate the Right of Access.

Key takeaways

• Most violations stem from weak processes—fix workflows, training, and vendor oversight.
• Encryption and proper disposal sharply cut breach and penalty risk.
• Clear BAAs, fast breach response, and respectful patient access practices prevent escalation.

FAQs.

What are common examples of HIPAA violations?

Typical violations include unauthorized chart access, gossip or social media disclosures, misdirected emails or faxes, unencrypted lost devices, inadequate access controls, ransomware incidents, improper disposal of PHI, and failing to provide timely patient access to records.

How are HIPAA violations penalized?

OCR applies Tiered Penalties based on culpability, from no knowledge to Willful Neglect (uncorrected), with per‑violation fines and annual caps adjusted for inflation. Remedies often include Corrective Action Plans and monitoring. Serious misconduct can trigger Criminal Penalties, including potential imprisonment.

How can individuals report a HIPAA violation?

Report internally to your organization’s privacy/compliance officer when appropriate, then file with HHS through the OCR Complaint Portal—ideally within 180 days of learning about the issue. Provide who, what, when, where, how, and any evidence that supports your concern.

What protections exist for whistleblowers reporting HIPAA violations?

HIPAA prohibits intimidation and retaliation against individuals who report in good faith. If you experience adverse action for raising a concern, document events and include that information when reporting to OCR or appropriate authorities.