Common HIPAA Violations in 2026: What OCR Enforcement Data Actually Shows

Most HIPAA violations that result in penalties are not dramatic. They are not the result of malicious insiders or sophisticated cyberattacks. They are the result of predictable, preventable gaps — things that should have been in place and were not.

The Office for Civil Rights (OCR) publishes enforcement data that makes this clear. When you look at the violations that actually result in fines, corrective action plans, and settlements, the same categories appear repeatedly. The pattern is consistent enough to be useful: if you know what OCR cites most often, you know exactly where to focus your compliance effort.

This is what the enforcement record actually shows.

The Most Commonly Cited HIPAA Violations

1. Failure to Conduct a Risk Analysis

The most frequently cited violation in OCR enforcement actions is the failure to conduct an adequate, organization-wide risk analysis. This is not a technicality — it is the foundation of the entire Security Rule.

45 CFR § 164.308(a)(1)(ii)(A) requires covered entities to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information."

What OCR finds, repeatedly, is one of three things:

• No risk analysis was ever conducted. The practice simply never did one.
• The risk analysis was incomplete. It covered some systems but not all systems containing ePHI, or it addressed some threats but not all reasonably anticipated threats.
• The risk analysis was conducted once and never updated. HIPAA requires ongoing evaluation. A risk analysis from 2019 does not satisfy the requirement in 2026.

This violation appears in nearly every major enforcement action. It is cited in Resolution Agreements, Civil Money Penalties, and corrective action plans with striking consistency.

Why it matters for independent practices: Many small practices believe that their size exempts them from a formal risk analysis, or that a brief questionnaire satisfies the requirement. OCR has made clear — through enforcement against practices of all sizes — that neither assumption is correct.

2. Failure to Implement Access Controls

The second most common enforcement finding involves inadequate access controls — specifically, failures under 45 CFR § 164.312(a)(1), which requires covered entities to "implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights."

In practical terms, OCR cites practices for:

• Shared login credentials. Multiple staff members using the same username and password to access systems containing ePHI.
• No role-based access. Every user having access to all patient records, regardless of their role or need.
• No unique user identification. The inability to determine which specific individual accessed, modified, or transmitted ePHI.
• No automatic logoff. Workstations remaining logged into ePHI systems when unattended.

Access control violations are particularly significant because they undermine audit capability. If you cannot identify who accessed a record, you cannot investigate a potential breach, demonstrate minimum necessary compliance, or enforce workforce sanctions.

3. Failure to Encrypt ePHI

Encryption is an addressable specification under the Security Rule — meaning organizations must implement it or document why an equivalent alternative is reasonable. In practice, OCR treats the absence of encryption on devices that store or transmit ePHI as a serious finding, particularly when a breach has occurred.

The pattern in enforcement actions is clear:

• Unencrypted laptops stolen or lost — accounting for a significant percentage of reported breaches
• Unencrypted email containing ePHI — sent to patients, vendors, or other providers without TLS or equivalent protection
• Unencrypted portable devices — USB drives, external hard drives, and mobile devices containing ePHI without full-disk encryption

The enforcement significance of encryption is amplified by the Breach Notification Rule: if ePHI is encrypted consistent with NIST guidance and a device is lost or stolen, it is not a reportable breach. If it is not encrypted, it is. This single technical control determines whether a lost laptop is an IT inconvenience or a federal reporting obligation.

4. Insufficient Audit Controls

45 CFR § 164.312(b) requires the implementation of "hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."

OCR cites organizations for:

• No audit logging enabled. Systems that contain ePHI but do not record who accessed what and when.
• Logs that exist but are never reviewed. The requirement is not just to record activity but to examine it.
• Incomplete logging. Systems that log some actions but not others — for example, logging login attempts but not record access.

Audit controls serve a dual purpose: they deter unauthorized access (because users know their actions are recorded) and they enable investigation when incidents occur. Without them, a practice cannot demonstrate what happened — or did not happen — during any period under review.

5. BAA Failures

Business Associate Agreement violations take two forms, both commonly cited:

• No BAA in place with a business associate. The practice uses a vendor that handles ePHI — a billing service, cloud storage provider, IT company, answering service — without a signed BAA.
• BAA exists but is inadequate. The agreement does not contain all required provisions, does not specify permitted uses and disclosures, or does not require the business associate to report breaches.

BAA compliance is not a one-time task. It requires identifying all business associates, executing agreements with each, and monitoring those relationships over time. When vendors change, when new services are added, when existing vendors are acquired by other companies — the BAA landscape shifts.

OCR has pursued enforcement actions based solely on BAA failures, even in the absence of a breach. The obligation is structural, not incident-dependent.

6. Failure to Provide Timely Breach Notification

The Breach Notification Rule (45 CFR §§ 164.400–414) requires covered entities to notify affected individuals within 60 days of discovering a breach of unsecured ePHI. For breaches affecting 500 or more individuals, notification to OCR and prominent media outlets is also required.

OCR cites organizations for:

• Late notification. Discovering a breach and failing to notify within the 60-day window.
• Failure to notify at all. Discovering a breach and not reporting it — sometimes for months or years.
• Incomplete notification. Providing notice that does not contain all required elements (description of the breach, types of information involved, steps individuals should take, what the organization is doing in response).

The 60-day clock starts at discovery — not at the conclusion of an investigation. Organizations that delay notification while conducting extended internal reviews risk a separate violation for the delay itself.

7. Inadequate Workforce Training

45 CFR § 164.308(a)(5)(i) requires covered entities to "implement a security awareness and training program for all members of its workforce."

The training requirement is broader than many practices realize:

• All workforce members — not just clinical staff. This includes administrative staff, contractors, volunteers, and anyone with access to ePHI.
• Ongoing training — not a one-time onboarding event. Security awareness must be maintained through periodic updates.
• Documented training — the training must be recorded, with evidence of who completed what and when.

OCR cites practices for having no training program, for training that does not cover all required topics, and for the absence of documentation proving training occurred.

The Penalty Structure

HIPAA penalties operate on a tiered structure based on the level of culpability:

Tier	Culpability	Minimum per Violation	Annual Maximum
1	Did not know (and could not reasonably have known)	$141	$36,379
2	Reasonable cause (not willful neglect)	$1,424	$72,758
3	Willful neglect, corrected within 30 days	$14,232	$363,790
4	Willful neglect, not corrected	$71,162	$2,181,706

These amounts are adjusted annually for inflation. The critical detail is that each violation can be assessed per occurrence — and a single compliance gap can constitute multiple violations. A missing risk analysis, for example, is a new violation for each day it remains unconducted. Inadequate access controls across multiple systems can be cited as separate violations for each system.

The result is that seemingly modest per-violation penalties can compound into significant liability. Several enforcement actions against small practices have resulted in settlements exceeding $100,000 for violations that could have been prevented with basic controls.

The Pattern Behind the Violations

When you examine OCR enforcement data as a whole, a clear pattern emerges. The most common violations share three characteristics:

They are systemic, not episodic. These are not one-time mistakes. They are conditions that persisted over months or years — a risk analysis that was never conducted, access controls that were never implemented, training that was never provided.

They are preventable with technology. Every violation on this list can be addressed — partially or fully — with appropriate software and infrastructure. Encryption can be enforced. Access controls can be automated. Audit logging can run continuously. Risk assessments can be scheduled and tracked.

They reflect a documentation-first mindset. The practices cited by OCR typically treated compliance as a paperwork exercise. They had policies but not enforcement. They had checklists but not controls. The gap between documented intent and operational reality is where violations live.

This is why the distinction between compliance platforms matters. A platform that helps you produce documentation addresses part of the problem. A platform that enforces controls addresses the part that OCR actually penalizes.

What This Means for Independent Practices

Independent healthcare providers face a specific version of this challenge. The regulatory requirements are identical to those imposed on large health systems, but the resources available to meet them are not.

The research is clear on the disproportionate impact. As documented in The Economics of ePHI Exposure, independent practices bear a higher per-record cost of breach than larger organizations, with fewer resources for prevention and recovery.

The practical response is to focus on the violations that appear most frequently in enforcement data — because those are the gaps most likely to be cited if OCR investigates:

1. Conduct and maintain a current risk analysis. Not once. Continuously.
2. Implement and enforce access controls. Unique logins, role-based access, automatic logoff.
3. Encrypt ePHI at rest and in transit. On every device, in every system.
4. Enable and review audit logs. Know who accessed what, and when.
5. Execute and maintain BAAs with every business associate. Track them. Update them.
6. Train all workforce members. Document it. Repeat it.
7. Have a breach notification process ready. Before you need it.

If your practice has not assessed where it stands on these seven areas, take the free risk assessment — it takes five minutes and requires no login.

For ongoing BAA management and automated compliance monitoring, platforms built specifically for independent providers can address the most common violation categories without requiring enterprise resources or enterprise budgets.

To see the current state of healthcare data breaches across the industry, explore the breach intelligence dashboard — updated continuously from OCR data.

This analysis is based on publicly available OCR enforcement data as of April 2026. It is provided for informational purposes and does not constitute legal advice.