Top 10 HIPAA Violations to Avoid in 2026 — Ranked by OCR Enforcement Frequency

The HHS Office for Civil Rights publishes every resolution agreement on its website. Read enough of them and a pattern emerges: the same handful of operational gaps drives most enforcement. Below are the ten categories cited most often, ranked by frequency, with the specific failure mode that triggers each.

This isn't theoretical risk. It's a list of audit findings drawn from real cases.

1. Failure to conduct a documented risk analysis

The most-cited violation category in OCR enforcement, full stop. HIPAA requires an "accurate and thorough" risk analysis under 45 CFR §164.308(a)(1)(ii)(A). Many practices either skip it entirely or rely on a one-time assessment from years ago.

OCR treats the risk analysis as the foundational document. Without it, no remediation can be evaluated, and the agency assumes the worst. Audit-ready means: documented, dated, scoped to your actual ePHI footprint, and reviewed annually at minimum.

2. Missing Business Associate Agreements with vendors

Every vendor that touches PHI on your behalf — EHR, cloud storage, billing service, IT contractor, transcription, even your shredding company — needs a signed BAA before they receive data. The Raleigh Orthopaedic Clinic case set the precedent at $750,000 with no breach required. The missing BAA was the violation.

The operational gap: practices know the rule but lose track. A 2017 vendor onboarding gets renewed three times without anyone re-verifying the BAA is current.

3. Improper PHI disclosure (social media, verbal, environmental)

A "thank you" Facebook post that mentions a patient. A waiting-room conversation a visitor overhears. A schedule visible on a monitor at the front desk. These are disclosures under HIPAA, and they trigger investigations when patients complain.

Workforce training is the front-line control here. Sanctions for policy violations are the back-end deterrent. Both are required under 45 CFR §164.530.

4. Inadequate workforce training and documentation

Training isn't a one-time onboarding video. HIPAA's administrative safeguards require ongoing, role-specific training with completion documentation. OCR enforcement actions repeatedly cite practices that trained workforce members but couldn't produce records, or trained only clinical staff while ignoring administrative roles handling the same PHI.

The defensible baseline: tracked completion, role-specific content, refresh cadence in writing.

5. Unencrypted mobile devices and laptops

Lost laptops with unencrypted ePHI have driven multiple million-dollar settlements (Children's Medical Center of Dallas at $3.2M, Lifespan Health at $1.04M, Concentra Health at $1.7M). The pattern is identical: the practice's own risk analysis identified encryption as a recommended safeguard, but the device wasn't actually encrypted.

The encryption safe harbor under the Breach Notification Rule is the strongest reason to encrypt every endpoint. A breached encrypted laptop typically doesn't require notification. A breached unencrypted laptop almost always does.

6. Failure to provide patient access within 30 days

OCR's Right of Access Initiative has settled 45+ cases since 2019, with most penalties in the $20,000–$200,000 range. The pattern: patient requests records, practice delays past the 30-day window or charges fees beyond cost-based recovery, patient complains, OCR investigates.

This is the most-enforced single provision. Reference: 45 CFR §164.524. Build a documented patient-access workflow with timestamps.

7. Tracking pixels on patient-facing pages

OCR issued a December 2022 bulletin explicitly addressing tracking technologies on covered-entity websites. Meta Pixel, Google Analytics, and similar tools on authenticated patient portal pages — or even on appointment-booking pages — frequently transmit PHI to third parties that have no BAA.

This is a newer-but-fast-growing enforcement category. Multiple class actions are pending against health systems. The practical rule: tracking pixels on any page that handles PHI requires a BAA with the analytics vendor, or the pixel comes off.

8. Improper disposal of paper or electronic records

Hard drives donated without secure wipe. Paper records left in unlocked dumpsters. Old servers sold on eBay still containing patient data. These cases recur because disposal is treated as an operational afterthought rather than a documented procedure.

45 CFR §164.310(d)(2)(i) requires policies for disposal of media and devices. NIST SP 800-88 provides the technical guidance for media sanitization.

9. Failure to follow breach notification timeline

Breaches happen. What separates a recoverable incident from a compounded violation is the response timeline. The 60-day individual notification clock starts at discovery, not at confirmation. Many practices waste the first 30 days investigating before notifying counsel, and end up out of compliance with the notification rule itself.

Documented incident response procedures with role assignments and timelines are the prevention.

10. Insufficient audit logging and log review

Audit controls are a required technical safeguard (45 CFR §164.312(b)). Most practices have some logging — but not the kind OCR expects to see during an investigation: immutable, attributable to specific users, retained for six years, reviewed on a documented schedule.

Audit logs are also the forensic record that determines whether a suspected breach actually compromised PHI. Without them, the four-factor risk assessment falls back to presumption of breach.

What this list has in common

All ten are operational gaps, not exotic threats. They surface in audits because they're already present in the practice — undocumented, unfilled, unreviewed. The audit doesn't create the violation. It finds it.

Patient Protect is built around closing these gaps continuously rather than annually. Where documentation-first compliance platforms produce the records OCR asks for, Patient Protect adds the active layer — real-time audit logging, vendor BAA tracking, workforce training completion enforcement, encryption monitoring, and incident-response orchestration — that prevents gaps from accumulating between assessments. Both layers matter. Most independent practices need both.

---

Patient Protect tracks the operational program — risk analyses, BAAs, audit logs, training, encryption, incident response — and surfaces gaps before they become enforcement findings. Plans start at $39/month with a 14-day free trial.