6 Common HIPAA Violations (Real Examples That Lead to Fines — and How to Avoid Them)

After ten years in clinical practice and several more as a Certified HIPAA Consultant, I can tell you that most HIPAA violations are not sophisticated cyberattacks. They are operational failures — human mistakes made by well-intentioned people in under-resourced practices.

That does not make them less expensive. The Office for Civil Rights does not grade on intent. A violation is a violation, whether it was caused by a nation-state hacker or a front desk employee who sent records to the wrong fax number.

Here are the six violations I see most often in independent healthcare practices — dental offices, behavioral health clinics, chiropractic practices, PT centers, and small medical groups. Each one comes with a real enforcement example, the financial consequences, and specific steps to prevent it.

What Are the Most Common HIPAA Violations?

The violations below are drawn from OCR enforcement actions, resolution agreements, and civil monetary penalties published between 2019 and 2025. They are not theoretical. Every one of these has cost a real practice real money — and in some cases, forced closure.

1. Unauthorized Access to Patient Records (Snooping)

What it looks like: A staff member accesses the medical records of a coworker, family member, celebrity, or neighbor without a treatment, payment, or operations reason. This is the most common internal violation in healthcare.

Real example: In February 2024, Montefiore Medical Center in New York settled with OCR for $4.75 million after one employee stole the records of 12,517 patients and sold them to an identity theft ring. But this is not just a hospital problem. In small practices, the scenario is more mundane — and harder to detect. A dental hygienist looks up her sister-in-law's treatment history. A front desk employee checks whether a neighbor's child was seen for behavioral health.

The cost: OCR penalties for unauthorized access range from $100 to $50,000 per violation, with annual caps of $1.5 million per violation category. Beyond fines, practices face state attorney general actions, patient lawsuits, and devastating reputational damage.

How to prevent it:

• Implement role-based access controls in your EHR — staff should only see records relevant to their job function
• Enable and review audit logs monthly (at minimum)
• Train every employee that accessing records without a legitimate purpose is a federal violation, not a gray area
• Establish a clear sanctions policy and enforce it consistently

2. Lost or Stolen Devices Containing ePHI

What it looks like: A laptop, tablet, USB drive, or external hard drive containing unencrypted patient data is lost or stolen. This was the single largest category of reported breaches for years.

Real example: Lifespan Health System paid $1.04 million to settle a breach caused by a single stolen laptop that was not encrypted. The laptop contained data on approximately 20,000 patients. For a multi-hospital system, $1.04 million is survivable. For a four-operatory dental practice, an equivalent penalty relative to revenue would be an extinction event.

The cost: The average healthcare data breach costs $9.8 million. For independent practices, even a small device-related breach can cost $100,000 to $500,000 when you include forensic investigation, patient notification, credit monitoring, legal fees, and OCR penalties.

How to prevent it:

• Encrypt every device that touches ePHI — laptops, tablets, phones, USB drives, backup media
• Maintain a current device inventory with encryption status documented
• Enable remote wipe capability on all mobile devices
• Use our ePHI data flow mapper to identify every device and system in your ePHI chain

3. Failure to Conduct a Risk Assessment

What it looks like: The practice has never performed a HIPAA security risk assessment, or performed one years ago and never updated it. This is the single most cited deficiency in OCR investigations.

Real example: Cardionet paid $2.5 million after OCR determined they had not conducted a comprehensive risk assessment despite handling ePHI for hundreds of thousands of patients. Numerous smaller practices have faced penalties in the $50,000 to $250,000 range for the same failure.

The cost: Under the 2025 enforcement framework, failure to conduct a risk assessment is treated as willful neglect. Penalties start at $50,000 per violation. More critically, without a risk assessment, you cannot demonstrate that any of your other safeguards are adequate — which compounds every other finding.

How to prevent it:

• Conduct a comprehensive risk assessment at least annually, or whenever significant changes occur
• Do not rely solely on the HHS SRA tool — it identifies risks but does not track remediation
• Use a platform that generates the assessment, produces a remediation plan, and maintains evidence of progress
• Start now with a free risk assessment to identify your current exposure

4. Texting or Communicating PHI on Personal Devices

What it looks like: A provider texts a patient's lab results from their personal iPhone. A dentist sends a photo of a radiograph to a colleague via iMessage. A therapist communicates with a patient through standard SMS. None of these channels are encrypted end-to-end in a manner that satisfies HIPAA.

Real example: While OCR has not published a standalone fine specifically for texting violations, unsecured communications are routinely cited as contributing factors in enforcement actions. HHS guidance makes clear that standard SMS and consumer messaging apps do not meet HIPAA transmission security requirements. Practices in behavioral health — where communication frequency with patients is highest — are particularly exposed.

The cost: Each text containing PHI that is sent through an unsecured channel constitutes a separate violation. In a practice that sends 20 patient-related texts per day, you are generating 7,300 individual violations per year — each carrying potential penalties of $100 to $50,000.

How to prevent it:

• Deploy a HIPAA-compliant messaging platform for all patient communication
• Establish a written policy that prohibits PHI transmission via personal devices unless encrypted
• Train staff that iMessage, WhatsApp, and standard SMS are not HIPAA-compliant channels
• Review what counts as PHI so staff understand how broad the definition is

5. Missing or Incomplete Business Associate Agreements

What it looks like: The practice shares ePHI with a vendor — IT support, cloud storage, billing service, shredding company, answering service — without a signed Business Associate Agreement in place. This is one of the most overlooked requirements.

Real example: North Memorial Health Care paid $1.55 million after OCR found they had shared ePHI with a business associate without a BAA. Raleigh Orthopaedic Clinic paid $750,000 for the same violation. These are not obscure regulatory technicalities — BAAs are fundamental to the HIPAA Privacy and Security Rules.

The cost: Fines range from $100 to $50,000 per violation. But the real cost is exposure: without a BAA, you have no legal basis for sharing ePHI and no contractual recourse if the vendor causes a breach. You absorb all the liability.

How to prevent it:

• Inventory every vendor that creates, receives, maintains, or transmits ePHI on your behalf
• Execute BAAs before sharing any data — not retroactively
• Review BAAs annually to ensure they are current and reflect actual data handling practices
• Use a platform that maintains your vendor registry and flags missing agreements automatically
• Read our HIPAA compliance roadmap for a complete list of documentation requirements

6. Inadequate or Missing Workforce Training

What it looks like: The practice either does not train staff on HIPAA at all, trains only at hire and never again, or uses generic training that does not address practice-specific workflows.

Real example: Memorial Hermann Health System paid $2.4 million after a workforce member disclosed a patient's PHI to the media. The root cause: inadequate training on what constitutes permitted disclosure. In independent practices, the scenario is more common than you would expect — a receptionist confirms a patient's appointment to a caller who identifies themselves as a family member but is not an authorized contact.

The cost: OCR expects documented, role-specific training that is refreshed annually. Failure to demonstrate adequate training transforms every subsequent violation into a finding of willful neglect — which escalates penalties dramatically.

How to prevent it:

• Deliver annual HIPAA training to all workforce members, including volunteers and contractors
• Make training role-specific: clinical staff need different content than front desk, billing, and IT
• Document everything: who was trained, when, on what topics, and assessment results
• Cover real scenarios, not just regulatory definitions — the goal is behavioral change

Why These Violations Matter

These six violations are not edge cases. They are the core findings in the majority of OCR enforcement actions against practices with fewer than 50 employees. And they are all preventable — not with more paperwork, but with the right operational infrastructure.

Healthcare breaches cost $9.8 million on average. For independent practices, the cost relative to revenue is even more devastating — 35 to 40 percent of small practices that experience a breach close within two years. The economics of breach exposure are unforgiving.

The common thread across all six violations is the same: the practice did not have systems in place to prevent foreseeable failures. That is exactly what HIPAA compliance software is supposed to solve — and exactly where most platforms fall short by producing documentation without enforcing the underlying safeguards.

Monitor the latest enforcement actions on our breach dashboard, and check your own practice exposure with a free risk assessment.