As of August 18, 2025, approximately 400 healthcare breaches have been reported to the Office for Civil Rights year-to-date, affecting nearly 30 million individuals.
HIPAA violations don’t just lead to data breaches that damage your reputation and patient trust. They can also result in six- or seven-figure fines, corrective action plans, and even criminal penalties.
Below we’ll provide an overview of the common examples of HIPAA violations, such as:
- Discussing a patient’s condition in a public area where others can overhear
- Opening a patient’s record “out of curiosity” without a business reason
- Sending PHI to a personal Gmail account to finish work at home
- Leaving a laptop containing protected health information (PHI) unlocked on a desk while stepping away
- Posting a photo of a hospital room on social media that includes identifiable PHI
- Throwing printed patient records in the regular trash instead of shredding
We’ll also walk through recent enforcement cases and penalties that prove how important it is for organizations to achieve and maintain HIPAA compliance.
What is a HIPAA violation?
A HIPAA violation is a failure to comply with one or more of the HIPAA Rules designed to protect patient data and privacy:
- HIPAA Security Rule: Organizations must have physical, technical, and administrative measures to protect health information.
- HIPAA Privacy Rule: Organizations can’t share a patient’s personal health information without their knowledge or permission.
- HIPAA Breach Notification Rule: Organizations must notify affected individuals within 60 days of a data breach.
- HIPAA Omnibus Rule: Organizations must comply with a patient’s request to access or share their medical records.
- HIPAA Enforcement Rule: Defines how investigations into complaints and violations are made and how fines and penalties are determined when an organization fails to follow the four rules above.

Any covered entity (healthcare providers, health plans, and healthcare clearinghouses) or business associate that fails to comply with these rules can be in violation of HIPAA, regardless of intent.
In practice, a HIPAA violation can be as simple as an employee leaving a client’s medical file on their computer screen while they step away for a cup of coffee.
Examples of HIPAA violations + how to avoid
Below are 20 of the most common HIPAA violations and how to avoid them. For each violation, we included a real-world example from the resolution agreements and enforcement case examples listed on the US Department of Health and Human Services (HHS)’s website.
Here’s the 20 HIPAA violation examples we’ll cover:
- Disclosing health care records without permission or authorization
- Failing to perform an accurate or thorough risk analysis
- Implementing insufficient safeguards to address security risks
- Denying patients access to their health records
- Failuring to enter into a HIPAA-Compliant Business Associate Agreement
- Having insufficient PHI access control measures
- Failing to safeguard the confidentiality, integrity, and security of PHI
- Failing to comply with breach notification requirements
- Allowing unnecessary or inappropriate access to and disclosure of PHI
- Improperly disposing of PHI
- Discussing PHI in public spaces
- Downloading or accessing ePHI on on unsecured and/or personal devices
- Leaving paperwork or devices unattended or visible
- Disclosing PHI using an invalid authorization form
- Sharing PHI on social media or public platforms
- Employee snooping on electronic health records
- Making impermissible disclosures of PHI to law enforcement
- Failing to provide patients with a notice of privacy practices
- Conditioning compliance with the HIPAA Privacy Rule
- Failing to meet HIPAA standards of disclosing PHI to prevent serious threat to health or safety
1. Disclosing health care records without permission or authorization
Real-world example: An outpatient surgical facility disclosed a patient’s PHI to a research entity for recruitment purposes without the patient's authorization (or an Institutional Review Board or privacy-board-approved waiver of authorization).
How to avoid: Only access or disclose patient records for treatment, payment, or healthcare operations. For any other purpose, such as sharing for research purposes, obtain written authorization using a HIPAA-compliant release form.
2. Failing to perform a risk analysis
Real-world example: Due to an unaddressed vulnerability, a large medicaid plan disclosed PHI to computer vendors that were not business associates while processing Medicaid applications.
How to avoid: Conduct an accurate and thorough HIPAA risk assessment to find where PHI is vulnerable. This is just one administrative safeguard specified in 45 CFR § 164.308.
3. Implementing insufficient safeguards to address security risks to PHI
Real-world example: The University of Rochester Medical Center agreed to pay a $3 million settlement following its discovery that PHI had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop—years after a similar breach and identification of a lack of encryption as a high risk to electronic protected health information (ePHI).
How to avoid: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, such as requiring encryption for mobile devices. Note that encryption is not required under HIPAA, but an equivalent safeguard must be implemented to protect ePHI.
4. Denying patients access to their health records
Real-world example: A private practice physician denied a patient’s access to their medical records because of an outstanding balance for services the physician had provided.
How to avoid: Provide people with access to their medical records upon request and without delay. There are few circumstances in which a covered entity may deny an individual access.
5. Failuring to enter into a HIPAA-Compliant Business Associate Agreement
Real-world example: A pharmacy chain and law firm had not entered into a Business Associate Agreement (BAA), which meant the pharmacy chain could not disclose PHI to the law firm.
How to avoid: Ensure any third-party vendors with access to PHI sign a BAA, as required by the Privacy Rule to ensure that PHI is appropriately safeguarded.
6. Having insufficient PHI access control measures
Real-world example: A general hospital distributed an Operating Room schedule to employees via email, disclosing a patient/employee’s upcoming surgery to their supervisor who was not part of their treatment team and did not need the information.
How to avoid: Make sure that authorized individuals are the only people who can access PHI.
7. Failing to safeguard the confidentiality, integrity, and security of PHI
Real-world example: A doctor's office mistakenly faxed medical records to the patient's place of employment instead of to the patient's new health care provider, disclosing the patient's HIV status to their employer.
How to avoid: Implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of PHI. For example, the practice was required to revise the office's fax cover page to underscore a confidential communication for the intended recipient.
8. Failing to comply with breach notification requirements
Real-world example: Sentara Hospitals agreed to pay $2.175 million after failing to properly notify HHS of a data breach, the largest settlement based on the reporting of a breach of unsecured PHI to date.
How to avoid: If your organization discovers a data breach, you must notify the affected individuals in writing as well as the Secretary of HHS and to the media in certain circumstances within 60 days.
9. Allowing unnecessary or inappropriate access to and disclosure of PHI
Real-world example: A dental practice flagged some of its medical records with a red sticker labeled AIDS on the outside cover, enabling other patients and staff without the “need to know” to read the sticker.
How to avoid: Limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose, and continuously evaluate and enhance these safeguards as needed.
10. Improperly disposing of PHI
Real-world example: A dermatology center was throwing out empty specimen containers that were labeled with PHI in an unsecured dumpster.
How to avoid: You must securely and permanently destroy PHI when it’s no longer needed.
11. Discussing PHI in public spaces
Real-world example: A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and patient's spouse within earshot of other patients without making reasonable efforts to prevent the disclosure.
How to avoid: To protect the confidentiality of patient information, employees must not have conversations about patients in public areas like hallways, elevators, or cafeterias where they can be overheard.
12. Downloading or accessing ePHI on unsecured and/or personal devices
Real-world example: The city of New Haven was fined over $200,000 after a terminated employee used their login credentials to access a work computer and copy ePHI data onto a USB drive.
How to avoid: Put device and media controls in place to ensure employees are only using authorized devices that are connected to the network and secure to access PHI, and are not sending ePHI to their personal email accounts or otherwise removing ePHI from the facility.
13. Leaving paperwork or devices unattended or visible
Real-world example: In the waiting room of a private practice, computer screens displaying patient information were easily visible to patients.
How to avoid: Paperwork and electronic devices containing ePHI must be secured at all times to avoid impermissible disclosures of PHI. This may require repositioning computer monitors and/or installing computer monitor privacy screens to prevent impermissible disclosures.
14. Disclosing PHI using an invalid authorization form
Real-world example: An HMO disclosed a member’s entire medical history to a disability insurer using an authorization form that failed to meet HIPAA requirements.
How to avoid: Use a valid authorization form that meets the requirements specified in 45 CFR § 164.508 to disclose PHI for purposes other than treatment, payment, or healthcare operations.
15. Sharing PHI on social media or public platforms
Real-world example: Elite, a privately-owned dental practice, agreed to pay $10,000 after disclosing patients’ PHI in response to reviews on the social media site Yelp.
How to avoid: Develop, maintain, and revise HIPAA policies and procedures that address impermissible disclosures of PHI (including on social media or public platforms) and distribute to all employees.
16. Employee snooping on electronic health records
Real-world example: A nurse practitioner who had privileges at a multi-hospital health care system impermissibly accessed the medical records of her ex-husband.
How to avoid: In addition to having strict access controls in place, provide regular employee training on the importance of protecting patient confidentiality and only accessing PHI when necessary.
17. Making impermissible disclosures of PHI to law enforcement
Real-world example: A chain pharmacy made an impermissible disclosure of PHI to municipal law enforcement officials and had a national policy regarding law enforcement's access to PHI that did not comply with the Privacy Rule requirements.
How to avoid: Ensure your policies and procedures only permit disclosing PHI to law enforcement officials without the individual’s written authorization in the situations specified in provisions of the HIPAA Privacy Rule, like 45 CFR § 164.512.
18. Failing to provide a notice of privacy practices
Real-world example: A mental health center did not provide a notice of privacy practices to a father or his minor daughter (the patient) prior to her mental health evaluation.
How to avoid: Post a notice on your website that explains to patients how you may use and share their health information and their privacy rights and try to obtain a signed acknowledgement of receipt of the notice.
19. Conditioning compliance with the HIPAA Privacy Rule
Real-world example:A physician practice requested that patients sign an agreement that prohibited them from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule.
How to avoid: Ensure your notice of privacy practices does not condition HIPAA compliance on the patient’s silence and otherwise meets the requirements listed in 45 CFR § 164.520.
20. Failing to meet HIPAA standards of disclosing PHI to prevent serious threat to health or safety
Real-world example: After treating a patient injured in an unusual sporting accident, the hospital released copies of the patient’s skull X-ray as well as a description of the complainant’s medical condition to the local media without the patient’s authorization.
How to avoid: Ensure guidelines regarding disclosures of PHI to avert a serious threat to health or safety meet the Privacy Rule’s standard for such actions, listed in 45 CFR § 164.512(j).

Checklist to Avoid HIPAA Violations in 2025 and beyond
With penalties reaching millions of dollars, complying with the HIPAA rules isn’t optional.
Our free HIPAA Compliance Checklist will help you:
- Understand key HIPAA Privacy, Security, and Breach Notification Rule requirements
- Spot gaps and potential violations before the OCR does
- Protect your patients and your reputation

Download the HIPAA Compliance Checklist for 2025
Evaluate whether your people, policies, and procedures are compliant with HIPAA requirements.
How are HIPAA violations discovered?
HIPAA violations are often discovered through self-reporting or third-party investigations.
- Self-reporting: HIPAA-covered organizations conduct internal audits and report any violations they uncover. Employees also self-report HIPAA violations they or their coworkers commit.
- Investigations of patient complaints and breaches: The Department of Health and Human Services Office for Civil Rights (OCR) investigates HIPAA complaints. The OCR also conducts periodic audits of HIPAA-covered entities and their business affiliates and investigates data breaches of unsecured PHI affecting 500 or more individuals. State attorneys general may also look into complaints about potential violations.
If the OCR determines a violation occurred, it will first seek voluntary compliance, usually via a resolution agreement where the organization agrees to take corrective actions (and sometimes pay a financial settlement).
If the organization fails to resolve the matter satisfactorily, the OCR may impose civil monetary penalties.
In cases where the covered entity appears to violate the criminal provision of HIPAA (42 U.S. Code § 1320d-6), the OCR may refer the case to the Department of Justice (DOJ), which has the authority to pursue criminal penalties.
Let’s take a closer look at the different types of HIPAA violation penalties below.
Recommended Reading

Who Enforces HIPAA + How To Make Sure Your Business Is Compliant
Read MoreWhat are the penalties for HIPAA violations?
There are two types of HIPAA violations, civil and criminal. The penalties can include fines, corrective action plans, or even jail time.
The OCR issues penalties for HIPAA violations. These range in severity based on the nature of the offense and the knowledge the offender had of the violation. HIPAA violations can involve one single person’s PHI.
While less common, state attorneys general can also penalize HIPAA-covered entities.

Civil penalties
Civil penalties are usually issued in cases where the offender was unaware they were committing a HIPAA violation.
As listed in 45 CFR § 160.404, the penalties range from:
- A minimum $100 fine if an individual was unaware that they were violating HIPAA rules, and maximum of $25,000 per year.
- A minimum $1,000 fine if an individual had reasonable cause for their actions and were not “willfully neglectful,” and maximum of $100,000 per year.
- A minimum $10,000 fine if an individual acted with willful neglect but worked to fix the issue afterward, and maximum of $250,000 per year.
- A minimum $50,000 fine if an individual acted with willful neglect and failed to fix the issue afterward, and maximum of $1.5 million per year.
Criminal penalties
Criminal penalties are usually issued in cases where individuals knowingly obtain or use PHI without permission.
As listed in 42 U.S. Code § 1320d-6, criminal HIPAA violations and penalties fall under three tiers:
- Tier 1: Deliberately obtaining and disclosing PHI without authorization — up to one year in jail and a $50,000 fine
- Tier 2: Obtaining PHI under false pretenses — up to five years in jail and a $100,000 fine
- Tier 3: Obtaining PHI for commercial advantage, personal gain, or malicious harm — up to 10 years in jail and a $250,000 fine
Top 25 HIPAA Violation Fines in History
The violation penalties below include both civil monetary penalties that the OCR imposed on covered entities and resolution amounts that covered entities and the OCR agreed on to resolve investigations of potential violations.
Year | Organization | Fine |
---|---|---|
2018 | Anthem | $16,000,000 |
2020 | Premera Blue Cross | $6,850,000 |
2016 | Advocate Health | $5,550,000 |
2017 | Memorial Healthcare Systems | $5,500,000 |
2021 | Excellus Health Plan | $5,100,000 |
2014 | New York-Presbyterian Hospital and Columbia University Medical Center | $4,800,000 |
2024 | Montefiore Medical Center | $4,750,000 |
2018 | The University of Texas MD Anderson Cancer Center | $4,348,000 |
2011 | Cignet Health | $4,300,000 |
2016 | Feinstein Research | $3,900,000 |
2015 | Triple-S Management | $3,500,000 |
2018 | Fresenius Medical Care North America (FMCNA) | $3,500,000 |
2017 | Children’s Medical Center of Dallas | $3,200,000 |
2025 | Solara Medical Supplies | $3,000,000 |
2019 | Touchstone Medical Imaging | $3,000,000 |
2018 | Cottage Health | $3,000,000 |
2016 | University of Mississippi Medical Center | $2,750,000 |
2016 | Oregon Health & Science University | $2,700,000 |
2017 | CardioNet | $2,500,000 |
2017 | Memorial Hermann Health System | $2,400,000 |
2020 | CHSPSC LLC | $2,300,000 |
2017 | 21st Century Oncology | $2,300,000 |
2009 | CVS | $2,250,000 |
2017 | MAPFRE | $2,200,000 |
2016 | New York Presbyterian | $2,200,000 |
2019 | Sentara Hospitals | $2,175,000 |
2019 | Jackson Health System | $2,150,000 |
2016 | St. Joseph’s | $2,140,000 |
2014 | Concentra | $1,725,220 |
2013 | WellPoint | $1,700,000 |
Source: Resolution Agreements and Civil Money Penalties posted on HHS Website (as of August 18, 2025)
From this broader list, we’ve selected 10 cases that illustrate different violation types and enforcement actions. We’ll dive deeper into those below.
Recommended reading

History of HIPAA: How the Standard Has Evolved Since 1996
Read More10 Major HIPAA violation fines + lessons learned
Since HIPAA enforcement began in 2003, the OCR has issued more than $161 million in penalties for serious HIPAA violations.
While the largest violation penalty on record is the $16 million settlement with Anthem back in 2018, recent enforcement activity shows that the OCR continues to take a firm stance against organizations that fail to protect PHI.
The cases below span the last decade and a half and represent some of the most significant penalties issued. While they aren’t the top 10 largest fines, they represent different types of HIPAA violations, the magnitude of their impact, and key lessons learned,
Keep reading for real-world examples that illustrate how HIPAA violations occur in practice and the costly consequences that follow.

1. Anthem pays record $16 million settlement following largest health data breach in history
All-time ranking: #1
Year fine issued: 2018
In 2015, Anthem, one of the nation’s largest health insurers in the United States, reported a cyberattack that exposed the ePHI of nearly 79 million individuals.
Attackers gained access through a spear-phishing campaign at a subsidiary then was able to maintain access and go undetected for months.
In its investigation of the breach, OCR found Anthem had failed to conduct an enterprise-wide risk analysis, monitor system activity, respond to suspected or known security incidents, or implement adequate minimum access controls to prevent the cyber attackers from accessing sensitive ePHI, beginning as early as February 2014.
Anthem agreed to pay $16 million, the largest HIPAA settlement to date, and also settled a $115 million class action lawsuit with affected individuals.
Lessons to learn:
- Conduct enterprise-wide risk analyses and monitor systems continuously to identify and respond to security incidents.
- Implement strict access controls to protect ePHI even if hackers gain access to your systems.
2. Another insurance company pays $6.85 million settlement for data breach affecting 10.4 million
All-time ranking: #2
Year fine issued: 2020
In 2020, the OCR investigated Premera Blue Cross, the largest health plan in the Pacific Northwest, after hackers obtained the PHI of nearly 10.5 million individuals.
The hackers gained access to the provider’s computer system with a phishing email that installed malware. The malware gave the group access to ePHI, which remained undetected for 9 months.
OCR’s investigation uncovered “systemic noncompliance” with the HIPAA Rules. According to OCR, the organization failed to:
- Conduct a comprehensive and accurate risk analysis to identify threats to the confidentiality, integrity, and availability of ePHI.
- Reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level.
- Implement sufficient hardware, software, and procedures to record and analyze activity related to information systems containing ePHI.
- Prevent unauthorized access to the ePHI of over 10 million individuals.
The OCR fined the company $6.85 million for violating the HIPAA Security Rule, which is the second largest HIPAA settlement in OCR history. The company also settled a multi-state lawsuit for $10 million and a class action lawsuit for $74 million.
Lessons to learn:
- Conduct thorough risk assessments on a regular basis to ensure you identify security vulnerabilities before hackers do.
- Use encryption or similar security measures to protect private health data.
3. Advocate Health pays $5.55 million settlement after three separate breaches
All-time ranking: #3
Year fine issued: 2016
Between August and November 2013, Advocate Health, the largest fully-integrated health care system in Illinois, reported three breaches that collectively affected 4 million patients.
OCR found the organization failed to perform thorough risk analyses, reasonably safeguard ePHI on portable devices, and establish a proper business associate agreement with a vendor. One breach occurred when an unencrypted laptop was stolen from an unlocked vehicle overnight.
Advocate paid $5.55 million—the largest HIPAA settlement at the time and second largest to this day—due to the extent and duration of noncompliance and number of individuals affected in the breach.
Lessons to learn:
- Ensure risk analysis and management is comprehensive, covering all systems, vendors, and portable devices containing PHI.
- Implement critical safeguards like encryption and business associate agreements to reduce the risks to PHI.
4. Memorial Healthcare Systems pays $5.5 million settlement over for access and audit control failures
All-time ranking: #4
Year fine issued: 2017
Memorial Healthcare System (MHS) discovered that login credentials from a former employee of an affiliated physician’s office were still active and used for nearly a year without detection to access 80,000 patient records.
OCR determined that MHS failed to properly review, modify, and terminate user access rights and did not regularly monitor audit logs, despite identifying this as a risk in several analyses conducted years earlier.
The settlement required MHS to pay $5.5 million and adopt a corrective action plan.
Lessons to learn:
- Implement robust access controls for employees across your health system, including affiliated physician office staff
- Regularly review access and audit logs to detect improper activity.
5. New York-Presbyterian Hospital and Columbia University Medical Center pay $4.8 million settlement for server misconfiguration
All-time ranking: #6
Year fine issued: 2014
In 2010, a physician at Columbia University attempted to deactivate a personal server connected to a shared hospital network used by both the university and New York and Presbyterian Hospital, inadvertently exposing the ePHI of 6,800 patients online. The two entities learned of the breach after receiving a complaint by an individual who found the ePHI of their deceased partner (a former patient of NYP) on the internet.
OCR’s investigation of the breach revealed both Columbia and New York Presbyterian lacked adequate technical safeguards and failed to ensure their joint system was properly secured.
The organizations paid a combined $4.8 million settlement—the largest to date at the time—with NewYork-Presbyterian covering $3.3 million and Columbia $1.5 million.
Lessons to learn:
- Put appropriate policies and procedures for information access management in place and ensure employees comply with your own policies.
- When multiple entities share systems, they share responsibility for protecting PHI and must implement proper safeguards, policies, and access controls.
6. Cignet Health pays record $4.3 million fine for HIPAA Privacy Rule violations
All-time ranking: #9
Year fine issued: 2011
Between 2008 and 2009, Cignet Health refused to provide 41 patients with access to their medical records, as required under the HIPAA Privacy Rule. The organization also ignored OCR subpoenas during the investigation of these patient complaints and only turned over the records after a court order. At this time, Cignet Health made no efforts to resolve the complaints through informal means.
OCR determined Cignet’s actions constituted willful neglect and imposed a fine of $4.3 million, the first-ever civil monetary penalty for violations of HIPAA Privacy Rule violations.
Lessons to learn:
- Patients must be given timely access to their medical records.
- Covered entities are legally obligated to cooperate with OCR investigations into patient complaints or breaches—not doing so can increase the monetary penalty.
7. Triple-S Management pays $3.5 million settlement after five breaches
All-time ranking: #11
Year fine issued: 2015
Triple-S Management and its subsidiaries experienced five breaches involving improper disclosures of PHI between 2010 and 2015. For example, in 2010, two former employees, now working at a competitor, improperly accessed restricted areas of a database managed by Triple-C, Inc because their access rights had not been terminated. In 2014, a former employee of their business associate, Triple-S Advantage Solutions, copied beneficiary ePHI onto a CD, which he took home and subsequently downloaded onto a computer at his new employer.
When investigating these and the other three reports, OCR found widespread non-compliance with both the HIPAA Security and Privacy Rules throughout the various subsidiaries of Triple-S, including:
- Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;
- Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;
- Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; among others.
Triple-S agreed to pay $3.5 million and implement a corrective action plan to correct deficiencies in its HIPAA compliance program, including ongoing risk management and workforce training. This settlement signalled OCR’s commitment to strong enforcement of compliance with both the HIPAA Security and Privacy Rules.
Lessons to learn:
- Implement a process to evaluate and address any environmental or operational changes that affect the security of the ePHI you hold.
- Conduct regular employee training covering the requirements of the Privacy, Security, and Breach Notification Rules for all members of the workforce and business associates providing services on your premises.
- Cooperating with the OCR during breach or complaint investigations can lead to a lower fine.
8. An imaging company pays $3 million after failing to investigate a breach and notify affected individuals in a timely manner
All-time ranking: #15
Year fine issued: 2019
In 2018, the FBI discovered that one of the servers of a Tennessee-based medical imaging services company was accessible on the internet. Anyone could access and view the PHI of over 300,000 individuals with a simple search, even after the server was taken offline.
Because Touchstone Medical Imaging did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR, the imaging company did not notify the affected individuals until 147 days after the discovery.
Due to this violation of the HIPAA Breach Notification Rule as well as the Security Rule, the company was ordered to pay $3 million in penalties and adopt a corrective action plan.
Lessons to learn:
- Affected individuals must be notified within 60 days of data breach discoveries.
- Organizations are responsible for their vendors (like a third-party data center) also upholding HIPAA compliance standards and must have BAAs in place.
9. A health system pays $2.4 million settlement after disclosing PHI in a press release
All-time ranking: #20
Year fine issued: 2017
In 2015, Memorial Hermann Health System (MHHS) alerted the authorities that a patient presented an allegedly fraudulent identification card to office staff. While this was a permissible disclosure of PHI to law enforcement, the health system then issued a press release in response to the police incident and included the patient’s name in the title of the press release.
In its investigation, the OCR determined this was an intentional failure to protect the patient’s rights to privacy and that MHHS failed to document the sanctioning of its workforce members for this impermissible disclosure of PHI in a timely manner. As a result, the OCR ordered the health system to pay a $2.4 million fine.
Lessons to learn:
- PHI can only be disclosed without patient authorization in limited circumstances (ie. alerting law enforcement of a crime).
- The penalties can be astronomical for a single non-compliance incident.
10. A health system pays $2.15 million for multiple HIPAA violations committed over several years
All-time ranking: #27
Year fine issued: 2019
In 2015, the OCR opened an investigation into the nonprofit academic health system Jackson Health System (JHS) after a reporter shared a photograph on social media that included a patient's medical information. This investigation also included two other breaches reported in 2013 and 2016.
The investigation uncovered multiple HIPAA violations over several years, including:
- After reporting that it had lost paper records of over 750 patients in 2012, the health system uncovered that an additional three boxes were lost but did not report the increased total of affected patients until 2016.
- After the reporter shared the photograph containing PHI on social media in 2015, two employees had accessed this patient's electronic medical record without a job-related purpose.
- Since 2011, an employee inappropriately accessed and sold more than 24,000 patients’ records.
The OCR fined the hospital system $2.15 million for its failure to notify the Secretary of HHS of lost patient records in a timely and accurate manner, failure to protect PHI that was leaked to the media, and failure to detect the theft and sale of patient records.
Lessons to learn:
- Restrict access to ePHI to authorized employees only and to the minimum necessary to accomplish their job duties.
- Properly secure PHI to prevent data leaks to the media.
- When data breaches occur, notify affected individuals and the OCR as soon as possible.
Recommended reading

Non-Compliance Fines and Sanctions: Why It’s More Expensive Not to Comply with Regulations
Read MoreHow to avoid HIPAA violations
HIPAA violations are often due to carelessness or ignorance of HIPAA laws. Employers can avoid a lot of potential headaches by providing adequate HIPAA training for their employees.
For any employees who handle PHI, a few other simple ways to avoid HIPAA violations include:
- Never share passwords or login credentials
- Never leave portable devices unattended
- Never send SMS text messages containing PHI
- Don’t throw out PHI in the trash
- Don’t share ePHI on social media
- Don’t access patient records without a valid purpose
- Don’t take medical records with you when changing jobs
- Report potential HIPAA infractions
For a more comprehensive checklist of what to do to avoid HIPAA violations, download our HIPAA Compliance Checklist.
Recommended reading

Why HIPAA Compliance Is Becoming More Challenging
Read MoreHow to simplify HIPAA compliance with Secureframe
HIPAA non-compliance isn’t an option for organizations that handle protected health information. Still, it’s not easy keeping up with evolving technology and regulatory changes to maintain HIPAA compliance.
Secureframe makes it quicker, easier, and cheaper to achieve HIPAA compliance by simplifying the process into a few key steps.
With one platform you can make sure you’re not subject to HIPAA violation by:
- Creating HIPAA privacy and security policies
- Training employees on HIPAA requirements and best practices
- Keeping track of vendors with access to PHI
- Ensuring your business associates protect PHI
- Elevating and monitoring your HIPAA safeguards
Secureframe will enable you to focus on growing your business. Get in touch to learn how you can automate your HIPAA compliance today.
This post was originally published in February 2023 and has been updated on August 18, 2025 for comprehensiveness.
FAQs
What qualifies as a HIPAA violation?
Failure to comply with any provisions of the HIPAA Security, Privacy, Breach Notification, Enforcement, or Omnibus Rule qualifies as a HIPAA violation.
What is a HIPAA violation example?
All of the following are examples of a HIPAA violation:
- any unauthorized access, use, or disclosure of PHI
- failure to provide patients with access to their PHI
- lacking safeguards to protect PHI
- failure to conduct regular risk assessments
- providing insufficient training to employees on HIPAA rules
It's important to understand that certain actions can qualify as HIPAA violations, even if no patient harm occurs. For example, if an employee left a client’s medical file on their computer screen while stepping away for a cup of coffee, that would qualify as a HIPAA violation.
How do HIPAA violations affect patients?
That depends on the violation. If a HIPAA violation results in the exposure of millions of PHI records, this could significantly affect patients. They may lose trust in your healthcare facility and go elsewhere, or they may experience identity theft as a result of the data exposure.
What are the types of HIPAA violation penalties?
There are two types of HIPAA violation penalties: civil and criminal. Civil penalties are usually issued in cases where the offender was unaware they were committing a HIPAA violation and can included fines and corrective action plans. Criminal penalties are usually issued in cases where individuals knowingly obtain or use PHI without permission and can include fines, corrective action plans, and jail time.
How can you tell if an organization is in violation of HIPAA?
Your compliance strategy should start with a thorough self-audit. This will help you identify any areas where your organization could be vulnerable to HIPAA non-compliance.
Failing to address any issues you discover is a HIPAA violation. Your next step should be putting together a comprehensive remediation plan. This plan should be documented and include a timeline for addressing compliance gaps.
Is encryption mandatory under HIPAA?
Encryption is not mandatory, but organizations that do not implement encryption must document the reasons why. One reason may be that they’ve implemented another security measure that’s equally as effective at protecting ePHI when being stored and transmitted.
What are the penalties for violating HIPAA?
HIPAA penalties are divided into different tiers that reflect the nature and intentionality of the violation. Each carries a max annual penalty of $1.5M for identical violations.
- Tier 1 Unawareness: $100 to $50,000 per violation, with an annual maximum of $1.5 million for identical violations.
- Tier 2 Reasonable cause (not willful neglect): $1,000 to $50,000 per violation, with an annual maximum of $1.5 million for identical violations.
- Tier 3: Willful neglect but corrected within required time period: $10,000 to $50,000 per violation, with an annual maximum of $1.5 million for identical violations.
- Tier 4: Willful neglect and not corrected: $50,000 per violation, with an annual maximum of $1.5 million for identical violations.
These are only civil monetary penalties. Criminal penalties can also be imposed for certain offenses and range from fines up to $250,000 and imprisonment for up to ten years.
Violators may also be required to implement corrective actions such as new policies, staff training, or infrastructure changes.