A HIPAA violation occurs when a healthcare provider, health plan, or their business partner fails to follow the federal rules that protect patient health information. These violations range from an employee snooping through medical records out of curiosity to a hospital losing an unencrypted laptop containing thousands of patient files. Since the law took effect, the federal government has received over 371,000 complaints, and of the cases investigated, 67% resulted in corrective action.
Who HIPAA Actually Applies To
HIPAA does not apply to everyone who handles health-related information. It covers three types of organizations: healthcare providers (doctors, clinics, pharmacies, nursing homes, dentists, psychologists), health plans (insurance companies, HMOs, employer health plans, Medicare, Medicaid), and healthcare clearinghouses that process billing data. There’s one important catch for providers: they’re only covered if they transmit health information electronically for standard transactions like insurance claims. A provider who operates entirely on paper and never submits electronic claims technically falls outside HIPAA’s scope, though that’s rare today.
Beyond these “covered entities,” HIPAA also applies to business associates. These are outside companies that handle patient data on behalf of a covered entity, such as a billing service, cloud storage provider, IT contractor, or law firm reviewing medical records. A written agreement must spell out how the business associate will protect that data. Both the covered entity and the business associate are legally liable for violations.
If an organization doesn’t fall into one of these categories, HIPAA doesn’t apply to it. Your employer asking about your health, a fitness app collecting your step count, or a friend sharing your medical news on social media may feel like privacy violations, but they aren’t HIPAA violations.
The Most Common Types of Violations
Federal enforcement data reveals several categories that come up repeatedly.
Unauthorized use or disclosure of patient information. This is the broadest and most frequent category. It includes a doctor’s office accidentally faxing medical records to a patient’s employer instead of their new provider, a nurse discussing a patient’s HIV status within earshot of other patients, or a hospital employee leaving a voicemail with a patient’s daughter that included details about her medical condition and treatment plan. The common thread is that protected health information reached someone who had no right to see it.
Employee snooping. Healthcare workers accessing records they have no clinical reason to view is a persistent problem. In one federal case, a supervisor accessed, examined, and disclosed an employee’s medical record without authorization. In another, a nurse practitioner used her hospital system privileges to look through her ex-husband’s records. Even though these employees had the technical ability to open those files, doing so without a treatment-related reason is a clear violation.
Inadequate safeguards. Organizations must put physical, technical, and administrative protections in place. A pharmacy that left pseudoephedrine log books containing patient information visible to anyone at the counter violated this requirement. So did a medical practice where computer screens displaying patient data faced the waiting room. A health plan’s flawed computer system that put roughly 2,000 families’ information at risk of disclosure fell into the same category.
Sharing more information than necessary. HIPAA requires a “minimum necessary” standard. When disclosing patient information for purposes other than direct treatment, organizations should share only the specific data needed for that purpose, not the entire medical record.
Denying patients access to their own records. Patients have a legal right to obtain copies of their health information within 30 days of requesting it (with a possible 30-day extension). One private practice refused to release records because the patient had an unpaid balance. Another refused a mother’s request for her minor son’s complete medical record. Both were violations. The federal government has made this a specific enforcement priority.
What Counts as a Breach
Not every violation triggers a formal breach. A breach occurs when patient information is used or shared in a way HIPAA doesn’t permit, and that use or disclosure puts the privacy or security of the information at risk. Before reporting, organizations can perform a risk assessment that considers the type of information involved, who received it, whether it was actually viewed or retained, and what steps were taken to contain the damage. If the assessment shows a low probability the information was compromised, it may not need to be reported as a breach.
When a breach does occur, the organization must notify affected individuals within 60 days of discovering it. If 500 or more people are affected, the organization must also alert the Department of Health and Human Services within that same 60-day window and notify prominent media outlets in the affected area. Smaller breaches affecting fewer than 500 people can be reported to HHS annually, within 60 days after the end of the calendar year.
What Is Not a HIPAA Violation
HIPAA includes broad exceptions that allow patient information to be shared without individual authorization in specific circumstances. Understanding these is just as important as knowing the violations, because many situations people assume are illegal are actually permitted.
Healthcare providers can freely share your information for treatment, payment, and routine healthcare operations. Your primary care doctor sending your lab results to a specialist, your hospital submitting a claim to your insurance company, and a quality assurance team reviewing records internally are all permitted. A covered entity can also disclose information directly to you, the patient.
There are also 12 categories of “public interest” disclosures that don’t require your permission. These include disclosures required by other laws, public health reporting (like notifying authorities about infectious diseases), reports of abuse or neglect, law enforcement purposes, judicial proceedings, health oversight activities, and situations where disclosure is needed to prevent a serious and imminent threat to someone’s health or safety.
Incidental disclosures are also not violations, as long as the organization has reasonable safeguards in place. A hospital visitor overhearing a brief exchange between a doctor and nurse, or glimpsing a name on a sign-in sheet, doesn’t automatically constitute a violation if the facility has taken reasonable steps to protect privacy.
Penalties for HIPAA Violations
HIPAA enforcement has two tracks: civil and criminal. Most cases fall on the civil side, handled by the Office for Civil Rights within HHS. Of the more than 46,000 complaints investigated through September 2024, roughly two-thirds led to corrective action such as required policy changes, staff retraining, or financial settlements. About one-third were found to involve no violation.
Criminal penalties, enforced by the Department of Justice, follow a three-tier structure based on intent. A basic violation carries up to a $50,000 fine and up to one year in prison. If the violation was committed under false pretenses, the maximum rises to $100,000 and five years. The harshest penalties are reserved for people who steal or misuse health information for commercial advantage, personal gain, or to cause harm: up to $250,000 and ten years in prison.
How Violations Get Reported
Anyone can file a HIPAA complaint with the Office for Civil Rights, including patients, employees, or members of the public. Complaints can be submitted online through the HHS website. The office then determines whether the complaint falls within HIPAA’s jurisdiction and whether there’s enough information to investigate. Many complaints are resolved through voluntary corrective action, where the organization agrees to fix the problem, update its policies, and retrain staff. More serious or repeated violations can lead to formal settlements with financial penalties or, in rare cases, criminal referral to the Department of Justice.
Organizations are also required to self-report breaches. When a business associate discovers a breach, it must notify the covered entity within 60 days so the covered entity can then carry out the required notifications to individuals and the government.