What Counts as a HIPAA Violation? Requirements, Examples, and Penalties Explained

Understanding what counts as a HIPAA violation helps you protect patients, manage risk, and avoid costly penalties. This guide clarifies the requirements that apply to covered entities and business associates, shows common missteps, and explains civil and criminal consequences.

You will also learn how the Department of Health and Human Services enforces the rules, which Penalty Mitigation Factors matter most, and which Compliance Safeguards reduce your exposure to Unauthorized Disclosure of Protected Health Information.

HIPAA Violation Definition

Who must comply

HIPAA applies to covered entities—health plans, health care providers that conduct standard transactions, and health care clearinghouses—and to their business associates that create, receive, maintain, or transmit Protected Health Information (PHI) on their behalf.

What is PHI

PHI is individually identifiable health information in any form (oral, paper, or electronic) that relates to a person’s health status, provision of care, or payment. Identifiers like names, addresses, phone numbers, medical record numbers, and full-face photos bring data into PHI scope.

What counts as a violation

A HIPAA violation occurs when an entity fails to meet the Privacy, Security, or Breach Notification Rule requirements. That includes Unauthorized Disclosure or use of PHI, insufficient safeguards to ensure the confidentiality, integrity, and availability of ePHI, failure to provide patient rights (such as access), or failure to provide timely breach notifications.

Common Examples of HIPAA Violations

• Accessing patient records without a job-related need (“snooping”).
• Discussing PHI in public areas or on speakerphone where others can overhear.
• Sending PHI to the wrong recipient via email, fax, or mail.
• Storing unencrypted PHI on lost or stolen laptops, smartphones, or USB drives.
• Sharing PHI on social media or using case anecdotes that can identify a patient.
• Using personal email, messaging apps, or cloud storage to share PHI without safeguards.
• Failure to execute or manage Business Associate Agreements before sharing PHI.
• Insufficient access controls, weak passwords, or lack of multi-factor authentication.
• Improper disposal of paper records or devices containing PHI.
• Skipping risk analysis, risk management, security updates, or audit logging.
• Not training the workforce on HIPAA policies and phishing awareness.
• Delaying breach notification or failing to notify affected individuals and authorities.
• Wrongfully denying or unreasonably delaying a patient’s right of access to their records.

Civil Penalties for HIPAA Violations

How Civil Monetary Penalties work

The HHS Office for Civil Rights (OCR) enforces HIPAA’s civil provisions using Civil Monetary Penalties (CMPs). Penalties are assessed per violation and can be aggregated by identical provision per calendar year, with caps that are periodically adjusted for inflation.

Four-tier culpability structure

• Unknowing: You did not know and, with reasonable diligence, could not have known of the violation.
• Reasonable Cause: A failure due to reasonable cause, not willful neglect.
• Willful Neglect—Corrected: Willful neglect that you correct within the required timeframe.
• Willful Neglect—Not Corrected: Willful neglect with no timely correction; this carries the highest CMPs.

Settlements and corrective action

Many cases resolve through settlements and corrective action plans rather than formal CMPs. OCR typically requires remediation steps such as policy updates, training, risk analysis, enhanced monitoring, and regular reporting to verify sustained compliance.

Criminal Penalties for HIPAA Violations

When criminal liability applies

The Department of Justice may pursue Criminal Sanctions when someone knowingly obtains or discloses PHI without authorization, or does so under false pretenses, or with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.

Possible sanctions

• Knowing violations: fines and up to 1 year imprisonment.
• False pretenses: fines and up to 5 years imprisonment.
• Intent to sell/transfer/use for gain or harm: fines and up to 10 years imprisonment.

Individuals—including workforce members and contractors—can be charged. Criminal cases may arise independently or be referred following an OCR investigation.

Factors Influencing Penalty Amounts

OCR considers Penalty Mitigation Factors to determine outcomes and penalty amounts. Key factors include the violation’s nature, extent, and duration; number of individuals affected; sensitivity of the PHI; and the entity’s level of culpability (from unknowing to willful neglect).

• Timely detection, breach containment, and corrective action taken.
• History of compliance, prior violations, and cooperation with investigators.
• Risk analysis quality, documented policies, and workforce training effectiveness.
• Technical safeguards in place (e.g., encryption, access controls, audit logs).
• Financial condition and ability to pay, balanced against deterrence needs.

HIPAA Enforcement and Compliance

How enforcement occurs

OCR within the Department of Health and Human Services investigates complaints, conducts compliance reviews, and evaluates breach reports. Investigations may involve document requests, interviews, and technical assessments of your security controls and privacy practices.

Potential outcomes

Outcomes range from technical assistance and voluntary corrective action to resolution agreements with monitoring or CMPs. Serious or intentional misconduct can lead to referral for criminal investigation.

Building a resilient compliance program

Effective compliance hinges on leadership support, clear policies, ongoing risk analysis, role-based training, vendor oversight, and continuous monitoring. Treat HIPAA as an operational discipline, not a one-time project.

Safeguards to Prevent HIPAA Violations

Administrative safeguards

• Conduct an enterprise-wide risk analysis and implement a documented risk management plan.
• Adopt and enforce policies for minimum necessary use, incident response, sanctions, and patient access.
• Provide role-based training, phishing simulations, and regular refresher sessions.
• Manage vendor risk with Business Associate Agreements and periodic due diligence.

Technical safeguards

• Use unique user IDs, least-privilege access, and multi-factor authentication.
• Encrypt ePHI in transit and at rest; secure email and messaging for PHI.
• Enable audit logging, alerting, and regular access reviews.
• Harden endpoints and servers, patch promptly, and segment networks.

Physical and operational safeguards

• Control facility access and secure workstations and portable media.
• Use clean-desk practices and locked bins for media and paper disposal.
• Maintain a tested incident response and breach notification plan.
• Periodically drill tabletop exercises to validate readiness.

Key takeaways

• Prevent Unauthorized Disclosure with layered Compliance Safeguards across people, process, and technology.
• Document decisions, training, and remediation—good records are crucial evidence during enforcement.
• Proactive risk management often reduces Civil Monetary Penalties and avoids the need for corrective action plans.

FAQs.

What actions constitute a HIPAA violation?

Any failure to meet the Privacy, Security, or Breach Notification Rules can qualify, including Unauthorized Disclosure or use of PHI, inadequate safeguards for ePHI, denying timely patient access, not having required Business Associate Agreements, or delaying required breach notifications.

What are the potential penalties for HIPAA violations?

Civil Monetary Penalties are tiered based on culpability and can accrue per violation with annual caps, which are adjusted for inflation. Remedies often include corrective action plans and monitoring. Criminal Sanctions—fines and imprisonment—may apply to knowing, deceptive, or profit-motivated misuse of PHI.

How does enforcement of HIPAA occur?

OCR at the Department of Health and Human Services investigates complaints, breach reports, and targeted reviews. Cases may close with technical assistance, settlements, or CMPs. Serious conduct can be referred for criminal investigation by the Department of Justice.

Can HIPAA penalties be reduced or waived?

Yes. Demonstrating robust safeguards, prompt breach containment, thorough remediation, cooperation, and inability to pay can reduce penalties. These Penalty Mitigation Factors influence whether OCR opts for technical assistance, a settlement with a corrective action plan, or formal CMPs.