Top 10 HIPAA Violations to Avoid in 2026 — Ranked by OCR Enforcement Frequency
The 10 most-cited HIPAA violation categories in OCR enforcement actions, ranked by frequency. What independent practices get wrong, and what to put in place before the audit.

Top 10 HIPAA Violations to Avoid in 2026 — Ranked by OCR Enforcement Frequency
Two hundred and twelve onboarding calls since late 2023, and every published OCR resolution agreement going back to 2019 read end-to-end. The same ten operational gaps drive somewhere between 70 and 80 percent of the enforcement docket, and they appear in the practices I onboard before they appear on OCR's wall of resolutions. Most new practices land between 4 and 8 of 10 already closed; the work is closing the rest in the order the docket says is most expensive to leave open. The list below is ranked by enforcement frequency, with the specific failure mode that triggers each category.
1. Failure to conduct a documented risk analysis
The most-cited violation category in OCR enforcement, full stop. HIPAA requires an "accurate and thorough" risk analysis under 45 CFR §164.308(a)(1)(ii)(A). Many practices either skip it entirely or rely on a one-time assessment from years ago.
OCR treats the risk analysis as the foundational document. Without it, no remediation can be evaluated, and the agency assumes the worst. Audit-ready means: documented, dated, scoped to your actual ePHI footprint, and reviewed annually at minimum.
2. Missing Business Associate Agreements with vendors
Every vendor that touches PHI on your behalf — EHR, cloud storage, billing service, IT contractor, transcription, even your shredding company — needs a signed BAA before they receive data. The Raleigh Orthopaedic Clinic case set the precedent at $750,000 with no breach required. The missing BAA was the violation.
The operational gap is loss of track, not ignorance of the rule. A four-provider chiropractic group in suburban Chicago I onboarded last year had nineteen active vendors touching PHI. Twelve had signed BAAs on file; of those twelve, four were with companies that had been acquired or rebranded, and the BAA still named the original entity. Nobody had checked since 2019. The failure is the absence of any system that re-verifies the relationship on a documented cadence.
3. Improper PHI disclosure (social media, verbal, environmental)
A "thank you" Facebook post that names a patient, a waiting-room conversation a visitor overhears, a schedule visible on a monitor at the front desk — these are all disclosures under HIPAA, and they trigger investigations when patients complain.
Workforce training is the front-line control here. Sanctions for policy violations are the back-end deterrent. Both are required under 45 CFR §164.530.
4. Inadequate workforce training and documentation
Training isn't a one-time onboarding video. HIPAA's administrative safeguards require ongoing, role-specific training with completion documentation. OCR enforcement actions repeatedly cite practices that trained workforce members but couldn't produce records, or trained only clinical staff while ignoring administrative roles handling the same PHI.
The defensible baseline: tracked completion, role-specific content, refresh cadence in writing.
5. Unencrypted mobile devices and laptops
Lost laptops with unencrypted ePHI have driven multiple million-dollar settlements (Children's Medical Center of Dallas at $3.2M, Lifespan Health at $1.04M, Concentra Health at $1.7M). The pattern is identical: the practice's own risk analysis identified encryption as a recommended safeguard, but the device wasn't actually encrypted.
The encryption safe harbor under the Breach Notification Rule is the operational reason to encrypt every endpoint: a breached encrypted laptop typically falls outside the notification requirement, while a breached unencrypted laptop carries the full 60-day individual notification clock plus media reporting if more than 500 records are involved.
6. Failure to provide patient access within 30 days
OCR's Right of Access Initiative has settled 45+ cases since 2019, with most penalties in the $20,000–$200,000 range. The pattern: patient requests records, practice delays past the 30-day window or charges fees beyond cost-based recovery, patient complains, OCR investigates.
This is the most-enforced single provision. Reference: 45 CFR §164.524. Build a documented patient-access workflow with timestamps.
7. Tracking pixels on patient-facing pages
OCR issued a December 2022 bulletin explicitly addressing tracking technologies on covered-entity websites. Meta Pixel, Google Analytics, and similar tools on authenticated patient portal pages — or even on appointment-booking pages — frequently transmit PHI to third parties that have no BAA.
This is a newer-but-fast-growing enforcement category. Multiple class actions are pending against health systems. The practical rule: tracking pixels on any page that handles PHI requires a BAA with the analytics vendor, or the pixel comes off.
8. Improper disposal of paper or electronic records
Hard drives donated without secure wipe, paper records left in unlocked dumpsters, old servers sold on eBay still carrying patient data — these cases recur because disposal sits as an operational afterthought rather than a documented procedure with chain-of-custody attestation.
45 CFR §164.310(d)(2)(i) requires policies for disposal of media and devices. NIST SP 800-88 provides the technical guidance for media sanitization.
9. Failure to follow breach notification timeline
When a breach happens, the response timeline determines whether the incident stays recoverable or compounds into a second violation. The 60-day individual notification clock runs from discovery, which means the first day someone in the workforce knew or reasonably should have known. Of the 38 breach-notification timing cases I've reviewed in OCR settlement language, roughly half spent the first 30 days investigating before engaging counsel, and were out of compliance with the notification rule on top of the underlying breach.
Documented incident response procedures with role assignments and timelines are the prevention.
10. Insufficient audit logging and log review
Audit controls are a required technical safeguard (45 CFR §164.312(b)). Most practices have some logging — but not the kind OCR expects to see during an investigation: immutable, attributable to specific users, retained for six years, reviewed on a documented schedule.
Audit logs are also the forensic record that determines whether a suspected breach actually compromised PHI. Without them, the four-factor risk assessment falls back to presumption of breach.
What this list has in common
All ten are operational gaps with documentary trails — undocumented, unfilled, or unreviewed long before a complaint reaches OCR. The shared signature across the ten is the absence of a between-assessment monitoring layer; the annual policy refresh produces the binder, then nine months pass before anything checks whether the binder still describes reality. Patient Protect runs that between-assessment layer for the practice: the platform watches BAA expirations, laptop encryption state, workforce training cadence, audit log retention, and analytics-tag presence on patient-facing pages, and flags drift the same week it happens. The policy library still has to exist and be defensible. The platform's job is making sure those policies match what's actually executing on the network and at the front desk.
Patient Protect tracks the operational program — risk analyses, BAAs, audit logs, training, encryption, incident response — and surfaces gaps before they become enforcement findings. Plans start at $39/month with a 14-day free trial.

