Key Takeaways
- OCR has received over 374,000 HIPAA complaints since 2003, and 21 enforcement actions with financial penalties were closed in 2024 alone
- Inadequate risk analysis appeared in 13 of OCR’s 20 enforcement matters in 2024, making it the single most cited violation
- 53% of healthcare data breaches trace back to employee negligence, not external hackers
- Penalties range from $145 per violation for unknowing breaches up to $2.19 million per violation for willful neglect that goes uncorrected
- 24% of healthcare employees still had not received security awareness training as of 2021, and the problem has not fully gone away
Introduction
A psychiatric practice in New Jersey responded to a negative online review by posting the patient’s protected health information. The organization believed it was defending itself. The Office for Civil Rights saw it differently. That single decision triggered a HIPAA investigation and a formal corrective action plan.
HIPAA violations rarely look like what people imagine. Most do not start with a sophisticated breach or a hacking group. They start with a staff member, a shortcut, or a process that was never set up correctly.
The HIPAA Violations That Show Up in Almost Every Enforcement Case
OCR tracks the compliance issues alleged in every complaint it receives. The same categories keep appearing at the top of that list.
Missing or Incomplete Risk Analysis
This is the single most frequently cited violation in OCR enforcement actions. In 2024, OCR even launched a formal enforcement initiative specifically targeting failure to complete risk analysis under the HIPAA Security Rule. That initiative showed up in 13 of OCR’s 20 enforcement matters that year.
A HIPAA-compliant risk analysis means reviewing your entire environment, not just the systems someone remembered to include. Organizations often conduct partial assessments, fail to update them after system changes, or never do one at all. OCR will find this in nearly every investigation that follows a breach.
What a compliant risk analysis covers:
- All systems and locations where electronic protected health information (ePHI) is stored, received, or transmitted
- Threats to that data, both internal and external
- Current controls and whether they actually reduce risk
- A documented plan for addressing gaps
Unauthorized Access to Patient Records
Healthcare workers accessing records without a legitimate reason is one of the most common HIPAA violations OCR sees. This includes employees checking on family members, snooping on coworkers, and looking up celebrity health records out of curiosity.
UCLA Health paid $865,000 after a physician was found to have accessed the medical records of celebrities and other patients without authorization. The organization had failed to restrict access appropriately.
In 2023, five former hospital employees pled guilty to unlawfully obtaining patient information from accident victims and selling it to personal injury attorneys and chiropractors. Criminal fines ranged from $1,000 to $50,000, plus probation.
Access logs are not optional under HIPAA’s Security Rule (§164.312(b)). They are your first line of detection for unauthorized access and a critical component of your audit trail.
Impermissible Disclosure of PHI
This is the top violation category on HHS’s cumulative complaint list. It covers any situation where PHI is shared with someone who should not have it, without proper authorization.
Examples include:
- Leaving a voicemail for a patient that a family member overhears, with details about their diagnosis and treatment
- Faxing records to the wrong recipient
- Sending patient data via personal email to finish work from home
- Responding to a negative online review with identifying patient details
All of these have resulted in OCR investigations.
Real Enforcement Cases From 2024 and 2025
Looking at actual enforcement actions gives a clearer picture than any checklist. These are not hypothetical scenarios.
When a Phishing Email Becomes a $600,000 Fine
PIH Health settled with OCR in April 2025 for $600,000 after a 2019 phishing campaign compromised 45 employee email accounts and exposed the protected health information of 189,763 individuals.
The data included names, addresses, Social Security numbers, clinical records, and financial details. OCR’s investigation found that PIH had no enterprise-wide risk analysis, inadequate email monitoring, and limited safeguards on employee accounts. The organization also failed to provide timely breach notifications after reporting the incident more than six months after it occurred.
The phishing email was the trigger. The lack of enterprise-wide risk analysis, inadequate email monitoring, and missing safeguards made the $600,000 fine inevitable.
Responding to a Negative Online Review With Patient Information
A psychiatric services provider in New Jersey responded to a critical online review by disclosing the patient’s protected health information in the response. OCR investigated and found the organization had violated the HIPAA Privacy Rule and lacked proper policies around public disclosures.
This happens more often than people realize. OCR Director Melanie Fontes Rainer stated: “OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or the internet in response to negative reviews. Simply put, this is not allowed.”
No exceptions exist for defending your reputation online.
Warby Parker: $1.5 Million for a Hacking Investigation
In February 2025, HHS imposed a $1.5 million civil money penalty against Warby Parker following a cybersecurity investigation. While not a traditional healthcare provider, the company handled health-related customer data covered by HIPAA through its vision care services.
The case reinforced that HIPAA applies beyond hospitals and clinics. Any organization that qualifies as a covered entity or business associate is subject to the same rules and the same enforcement.
The HIPAA Violations You Would Not Expect
Some violations catch organizations off guard precisely because they do not look like compliance failures in the moment.
Texting Patient Information Over a Personal Phone
A staff member texts a colleague a photo of a patient’s chart to get a quick second opinion before heading out. No harm meant. Completely against HIPAA.
Personal devices are not covered by your organization’s security controls. They do not have audit trails. They may sync to personal cloud accounts. The moment PHI hits a personal device, you have a potential violation, regardless of intent.
Social Media Posts That Seem Harmless
In 2025, a registered practical nurse live-streamed a TikTok video of herself at work during a medication pass. Even without directly naming a patient, any image or footage that could be used to identify a patient in a clinical setting can qualify as a violation.
Healthcare workers with large followings sometimes post “day in my life” content without realizing what is visible in the background. Equipment, room numbers, whiteboards, even staff names visible on screens have triggered complaints.
Skipping a Business Associate Agreement
Any vendor, contractor, or third party that touches PHI needs a signed business associate agreement (BAA) that meets HIPAA requirements. Many organizations sign agreements but forget to update them after the 2013 Omnibus Rule, which changed what BAAs must include.
Health Fitness Corporation settled for $227,816 in 2025 after a misconfigured server exposed protected health information online for nearly three years. The investigation confirmed no HIPAA-compliant risk analysis was completed until years after the incident began.
The contract requirement protects you when a vendor is responsible for the breach. Without it, the liability falls back on you.
What HIPAA Penalties Actually Look Like
People often assume HIPAA fines are enormous by default. The reality is more nuanced, and that makes it more important to understand.
| Tier | Situation | Penalty Range | Annual Cap |
|---|---|---|---|
| Tier 1 | No knowledge of the violation | $145 – $73,011 per violation | $2.19M |
| Tier 2 | Reasonable cause | $1,461 – $73,011 per violation | $2.19M |
| Tier 3 | Willful neglect (corrected) | $10,000 – $50,000 per violation | $250K |
| Tier 4 | Willful neglect (not corrected) | $50,000 per violation | $1.5M |
The key word in Tier 4 is “not corrected.” Organizations that find a problem and fix it promptly tend to resolve cases in settlements well below the maximum. Organizations that ignore OCR or fail to act face the steepest outcomes.
Criminal Penalties Are Real
Most HIPAA violations result in civil proceedings. But when violations involve knowing disclosure, false pretenses, or intent to profit, the Department of Justice handles criminal prosecution.
Criminal tiers carry:
- Up to 1 year in jail and a $50,000 fine for knowingly obtaining or disclosing PHI
- Up to 5 years and $100,000 for obtaining PHI under false pretenses
- Up to 10 years and $250,000 for obtaining PHI for commercial gain or to cause harm
Individual employees, not just organizations, can face these consequences.
How Secure.com’s Compliance Teammate Helps You Catch Problems Before OCR Does
The pattern across most HIPAA enforcement cases is consistent. Something broke, nobody detected it, and months or years passed before anyone acted. By then, the exposure is large and the documentation trail is thin.
Secure.com’s Compliance Teammate helps organizations close exactly that gap through continuous monitoring and automated evidence collection.
Continuous Monitoring of PHI Access
Unauthorized access to patient records is one of the most common HIPAA violations, and it is also one of the hardest to catch without automated monitoring. The Compliance Teammate monitors access patterns continuously, flagging anomalies in real time rather than waiting for a complaint or an annual audit.
When an employee accesses records without a legitimate business reason, the system flags the anomaly in real time. Early detection enables internal remediation before a violation becomes an OCR investigation.
An Audit Trail That Builds Itself
Every action the Compliance Teammate takes is logged, timestamped, and fully explainable. This means that if OCR opens an investigation, your documentation is already there and already organized.
No scrambling to reconstruct six months of activity. No inconsistent formats across systems. The evidence trail builds as the work happens.
Organizations using Secure.com’s Compliance Teammate have reduced audit preparation time by over 90%, with 2,000+ analyst hours saved annually.
Risk Analysis That Stays Current
Inadequate risk analysis is the number one cited violation in OCR enforcement actions. It shows up in investigations because most organizations do risk assessments once and let them sit.
Secure.com’s Compliance Teammate keeps your risk picture current. It integrates with 200+ security and cloud tools, including CrowdStrike, Splunk, SentinelOne, AWS, GCP, and Azure, pulling live data rather than relying on annual snapshots. When a new system comes online, when a configuration changes, or when a vendor relationship shifts, the risk analysis updates to reflect it.
This provides the kind of current, comprehensive documentation OCR expects during investigations—documentation that most organizations struggle to produce under pressure.
FAQs
What is the most common HIPAA violation?
Can a HIPAA violation happen by accident?
How long does an OCR HIPAA investigation take?
What triggers an OCR investigation?
Conclusion
HIPAA violations are not rare events that happen to other organizations. They happen in daily workflows. A nurse texting a photo of a chart. A staff member pulling up a colleague’s record out of curiosity. A provider responding defensively to a patient review. A vendor agreement that was never updated.
The organizations that end up in OCR enforcement actions are not usually doing something dramatically wrong. They are operating without the controls, documentation, and monitoring that HIPAA requires, and something eventually surfaces the gap.
The answer is not another policy document or annual compliance training that employees click through without retaining. It is continuous monitoring, clean audit trails, and risk analysis that stays current as the environment changes. That is what separates organizations that catch problems internally from the ones that find out through an investigation.
Secure.com’s Compliance Teammate automates continuous monitoring, evidence collection, and risk analysis—so your team can demonstrate compliance proactively rather than reactively during an OCR investigation.
