HIPAA violations fall into a surprisingly wide range of categories, from massive data breaches affecting millions of people to a single employee peeking at a coworker’s medical chart. The U.S. Department of Health and Human Services tracks complaints and ranks the most common issues. In order of frequency, the top five are: impermissible uses and disclosures of protected health information, lack of safeguards for that information, failure to give patients access to their own records, lack of administrative safeguards for electronic records, and sharing more information than necessary to get the job done.
Here’s what those categories actually look like in practice.
Sharing Patient Information Without Authorization
The single most common HIPAA complaint is an impermissible use or disclosure of protected health information (PHI). This covers any situation where someone’s medical details end up with a person or organization that has no right to see them. The scenarios vary widely in scale and intent.
At the smaller end, this includes a front-desk employee discussing a patient’s diagnosis within earshot of other patients in a waiting room, or a nurse mentioning a patient’s condition to a friend in casual conversation. It also includes staff members looking up medical records for people they aren’t treating. Employees have been fired for accessing the charts of celebrities, ex-partners, coworkers, and family members out of curiosity rather than for any treatment purpose. These “snooping” cases are taken seriously even though they don’t involve sharing the information further, because the unauthorized access itself is the violation.
At the larger end, impermissible disclosures can involve sending records to the wrong patient, faxing information to an incorrect number, or responding to a records request from someone who isn’t authorized to receive the data.
Social Media Posts That Reveal Patient Details
Social media has created an entirely new category of impermissible disclosure. Healthcare workers sometimes post photos, videos, or stories from their workplace without realizing they’ve included identifiable patient information. A photo of a funny whiteboard in a treatment room might include a patient’s name in the background. A story about an unusual case might contain enough detail for someone to identify the patient, even without using their name.
The key point is that protected health information isn’t limited to a patient’s name and diagnosis. It includes any combination of details that could identify someone: their age, the date of their visit, their location, a description of their injury, or even a visible tattoo in a photo. Posting any of this on social media without explicit patient authorization is a violation, regardless of whether the employee intended to share it or simply didn’t notice it was in the frame.
Hacking and IT Security Breaches
While snooping and careless disclosures are common, the largest HIPAA breaches by volume almost always involve hacking. In 2019, hacking accounted for 49% of all reported healthcare data breaches. By 2023, that figure had climbed to 79.7%. Current data from the federal breach portal shows hacking and IT incidents now account for more than 80% of large healthcare data breaches.
These incidents include ransomware attacks that lock hospital systems and expose patient databases, phishing emails that trick employees into handing over login credentials, and vulnerabilities in software that attackers exploit to extract records in bulk. A single hacking incident can expose the records of hundreds of thousands or even millions of patients at once, which is why these cases dominate the largest enforcement actions and settlements.
The HIPAA Security Rule requires healthcare organizations to implement technical safeguards like access controls, encryption, and audit logs. When an organization suffers a breach and investigators find those safeguards were missing or inadequate, the breach itself becomes a HIPAA violation on top of whatever damage was done.
Lost or Stolen Devices Without Encryption
Before hacking overtook other breach types, stolen laptops and lost USB drives were responsible for some of the most prominent HIPAA enforcement actions. The issue isn’t that a device was stolen. It’s that the data on it wasn’t encrypted, meaning anyone who picked it up could access the patient records stored on it.
Lifespan Health System, a nonprofit health system in Rhode Island, paid $1,040,000 to settle a case involving a single stolen laptop. The laptop was unencrypted, and the resulting investigation revealed that Lifespan had failed to implement device encryption across its affiliated entities. Had the laptop been encrypted, the theft wouldn’t have qualified as a reportable breach at all, because the data would have been unreadable to whoever took it. This distinction is why encryption is one of the most cost-effective protections a healthcare organization can adopt.
Blocking Patients From Their Own Records
Failing to give patients timely access to their medical records is the third most common HIPAA complaint, and federal enforcement has ramped up significantly. The HIPAA Privacy Rule gives patients the right to obtain copies of their health records, and providers must fulfill those requests within 30 days.
The federal government has made this a priority through its Right of Access Enforcement Initiative, which has now resulted in 54 enforcement actions. In one recent case, Concentra, a large occupational health provider, settled for $112,500 after an investigation found it had ignored a patient’s repeated requests for his own records. The patient made six requests starting in February 2018. He didn’t receive his records until March 2019, more than a year later.
These cases often involve smaller dollar amounts than hacking-related breaches, but they affect patients directly. If you’ve requested your medical records and your provider is dragging their feet or refusing to hand them over, that is a violation you can report to the Office for Civil Rights.
Failing to Use Minimum Necessary Standards
HIPAA’s “minimum necessary” standard requires that when health information is shared for purposes other than treatment, only the amount of information needed for that specific purpose should be disclosed. Sending an entire medical chart to an insurance company when only a single visit note was requested violates this standard. So does giving an administrative employee access to the full clinical record when their job only requires billing information.
This violation often stems from how electronic health record systems are configured. If a system gives every employee the same level of access regardless of their role, the organization isn’t meeting the minimum necessary requirement, even if no one actually misuses that access.
Inadequate Safeguards and Missing Policies
Many HIPAA violations aren’t dramatic events. They’re gaps in basic security practices that create the conditions for a breach. Lack of safeguards is the second most common complaint category and includes both physical and administrative failures.
Physical examples include leaving paper charts in unsecured areas, failing to use privacy screens on computer monitors in public-facing areas, or disposing of records in regular trash rather than shredding them. Administrative failures include not conducting regular risk assessments, not maintaining written privacy policies, or not training staff on HIPAA requirements. When a breach occurs and investigators discover these gaps, the organization faces penalties not just for the breach but for the underlying failures that allowed it to happen.
Late or Missing Breach Notifications
When a breach does occur, HIPAA’s Breach Notification Rule sets strict timelines for disclosure. Organizations must notify affected individuals without unreasonable delay and no later than 60 days after discovering the breach. If the breach affects 500 or more individuals, the organization must also notify the HHS Secretary within that same 60-day window, and it must alert prominent media outlets serving the affected area.
Failing to meet these deadlines is itself a separate HIPAA violation. Some organizations have faced enforcement actions not because of the original breach, but because they delayed reporting it. Trying to quietly resolve a breach without notification, or taking months to inform affected patients, compounds the original problem and increases the financial penalties significantly.
Penalty Ranges for Violations
HIPAA penalties are tiered based on the level of negligence involved. At the lowest tier, violations the organization didn’t know about and couldn’t have reasonably avoided carry penalties starting at $141 per violation. At the highest tier, violations resulting from willful neglect that the organization made no attempt to correct can reach $2,134,831 per violation. Annual caps apply to each penalty tier, but when multiple violation categories are involved in a single case, the totals add up quickly.
Criminal penalties also exist for individuals who knowingly obtain or disclose protected health information. These can include fines up to $250,000 and prison sentences up to 10 years, particularly when the information was obtained for personal gain or malicious purposes.