Key Takeaways
- A HIPAA violation occurs when a covered entity or business associate fails to comply with any provision of the HIPAA Privacy, Security, or Breach Notification Rules.
- Civil penalties range from $145 to $2,190,294 per violation (adjusted for inflation), with the highest tier carrying an annual maximum of $2,190,294 per violation category; criminal penalties can reach $250,000 and 10 years imprisonment.
- The most common violations include unauthorized access to patient records, inadequate security program documentation, insufficient access controls and improper disposal of protected health information (PHI).
- Communication-related violations, including unencrypted emails containing PHI and failure to archive regulated communications, are among the fastest-growing enforcement areas.
- Prevention requires a combination of workforce training, technical safeguards, documented policies and compliant communications archiving.
Introduction
In 2024, the HHS Office for Civil Rights (OCR) reached a $4.75 million settlement with Montefiore Medical Center after an employee stole and sold the protected health information of patients, a breach OCR traced to an incomplete risk analysis and inadequate monitoring of system activity.
That case added to a total that now exceeds $144 million in HIPAA enforcement penalties since OCR began enforcing the Privacy Rule.
Routine mistakes draw penalties, too. A HIPAA violation can stem from an employee accessing a patient record out of curiosity, an unencrypted email sent to the wrong address or a missed security review that went undetected for years.
In this guide, you’ll learn:
- What constitutes a HIPAA violation and who can be held liable
- The most common types of violations with real enforcement examples
- How the four-tier civil penalty structure works, including inflation-adjusted fine ranges
- Actionable prevention strategies, including communication-specific safeguards
What Is a HIPAA Violation?
A HIPAA violation is any failure to comply with the provisions of the Health Insurance Portability and Accountability Act, specifically the Privacy Rule, Security Rule, Breach Notification Rule or Enforcement Rule. These rules are codified in 45 CFR Parts 160 and 164 and enforced by OCR.
Two categories of organizations bear direct HIPAA liability. Covered entities include healthcare providers who transmit health information electronically, health plans and healthcare clearinghouses. Business associates are third parties that create, receive, maintain or transmit protected health information (PHI) on behalf of a covered entity, such as cloud hosting providers, billing companies, IT service vendors and email archiving platforms.
Violations fall on a spectrum of intent.
An unknowing violation occurs when the entity was unaware of the rule it violated and couldn’t have reasonably known. A reasonable cause violation means the entity knew or should have known about the requirement but didn’t act with willful neglect.
Willful neglect is the most serious category and applies when an entity consciously disregarded its HIPAA obligations, whether or not it attempted to correct the failure afterward, though timely correction does reduce the penalty tier.
Both civil and criminal penalties apply.
Civil penalties are imposed by OCR through resolution agreements and civil money penalties (detailed in the penalty tiers section below). Criminal penalties are prosecuted by the Department of Justice and can apply to individuals, not only organizations. An employee who knowingly obtains or discloses PHI without authorization faces potential fines and imprisonment.
Common Types of HIPAA Violations
The most common HIPAA violation examples fall into a handful of recurring patterns, and most of them have little to do with sophisticated hackers.
They come from everyday gaps: an employee looking at a record they shouldn’t, a risk analysis that never gets updated, or access controls that were never tightened after a merger. The categories below show up again and again in OCR’s enforcement record, which makes them a practical checklist for figuring out where your own exposure sits.
Unauthorized access to patient records
Employee snooping, the practice of accessing patient records without a treatment, payment or operations justification, is one of the most frequently cited individual-level HIPAA violations according to OCR enforcement data.
Staff members have been disciplined and organizations fined after employees accessed the records of celebrities, family members, co-workers and former patients.
OCR has pursued enforcement actions in cases where organizations failed to detect or prevent this behavior through access controls and audit logging.
Failure to conduct a risk analysis
The HIPAA Security Rule requires covered entities and business associates to conduct periodic, organization-wide security evaluations.
Failure to do this analysis shows up in most OCR enforcement actions, which tells you how seriously the agency takes it. Many organizations treat it as a one-time checkbox at implementation rather than an ongoing requirement that must be updated as systems, vendors and communication channels change.
Insufficient access controls and audit logs
The minimum necessary standard means employees should only reach the PHI their specific job requires, and the organizations that struggle most with this are usually the ones running legacy systems or working through the aftermath of a merger or acquisition.
When you stitch together systems that were never designed to talk to each other, you end up with no central way to govern who can see what, and that gap is exactly what OCR looks for.
The specific failures that draw enforcement are familiar ones: no role-based access controls, no unique login for each user, shared credentials floating around a department and audit logs that nobody actually reviews.
Any one of these makes it hard to prove, after the fact, that access was appropriate, which is the question an investigator will ask first.
Improper disposal of PHI
Before you dispose of PHI, it has to be rendered unreadable, whether that’s shredding paper charts or properly wiping drives.
Violations have involved medical records found in unsecured dumpsters, unwiped hard drives sold or donated, and retired servers with accessible patient data.
This applies equally to physical records (paper charts, printed lab results) and electronic protected health information (ePHI) stored on devices, drives and backup media.
Failure to encrypt or secure electronic communications
Sending unencrypted emails containing ePHI, using personal messaging apps for patient communication and failing to archive regulated communications are all areas of growing enforcement activity.
HIPAA’s encryption requirement under the Security Rule, 45 CFR § 164.312(a)(2)(iv) is classified as “addressable,” which many organizations mistakenly interpret as optional.
In practice, if an organization chooses not to encrypt, it must document why and implement an equivalent safeguard, a standard most unencrypted communication systems can’t meet.
This is also where communication archiving intersects directly with violation prevention.
Organizations that lack a compliant archive for email, chat, SMS, collaboration platforms, and the website won’t be able to produce the records OCR requires during an investigation, creating both a documentation gap and an independent violation.
Lack of employee training
HIPAA requires covered entities to train all workforce members on policies and procedures relevant to their job functions. Inadequate or absent training is a recurring finding in OCR resolution agreements. Effective training programs go beyond annual slide decks.
They include real examples of violations and their consequences, role-specific guidance and documented attendance records that demonstrate compliance during audits.
Real-World HIPAA Violation Cases
The HIPAA violation examples below, drawn from OCR’s breach portal and published resolution agreements, show the range of organizations and failures that draw penalties.
The following table highlights seven notable enforcement cases.
| Organization | Violation type | Penalty | Year |
| Montefiore Medical Center | Insider stole and sold patient ePHI over six months; no audit controls on the EHR | $4,750,000 | 2024 |
| Solara Medical Supplies | Email phishing breach (114,007 individuals); no risk analysis, weak email monitoring, late breach notification | $3,000,000 | 2025 |
| Warby Parker | Credential-stuffing attack (~198,000 records); inadequate risk analysis and safeguards | $1,500,000 | 2025 |
| LA Care Health Plan | Multiple violations, including gaps in security program documentation, access controls and known-risk remediation; investigation triggered by two data breaches | $1,300,000 | 2023 |
| Banner Health | No documented enterprise-wide security program; insufficient monitoring of health information systems (affecting 2.81 million individuals) | $1,250,000 | 2023 |
| Gulf Coast Pain Consultants | Failure to revoke a former employee’s access to ePHI systems | $1,190,000 | 2024 |
| Lafourche Medical Group | Phishing attack compromised ePHI of approximately 34,862 individuals; OCR cited insufficient security safeguards and lack of security awareness training | $480,000 | 2024 |
A few patterns stand out. A missing or inadequate risk analysis runs through nearly every case, which is exactly why OCR has made it an enforcement priority.
Penalties scale with the number of people affected and with how badly the organization failed to act on risks it already knew about or should have found.
The other recurring thread runs through communications: phishing emails that reached inadequately monitored mailboxes, former employees whose access was never revoked, and breach notifications that went out too late.
HIPAA Violation Fines and Penalty Tiers
HIPAA civil penalties follow a four-tier structure established by the HITECH Act and adjusted annually for inflation by HHS. The tiers reflect the violator’s level of knowledge and culpability.
Civil penalty tiers
| Tier | Level of culpability | Penalty per violation | Annual maximum |
| Tier 1 | Unknowing: the entity did not know and could not have reasonably known of the violation | $145 – $73,011 | $2,190,294 |
| Tier 2 | Reasonable cause: the entity knew or should have known, but did not act with willful neglect | $1,461 – $73,011 | $2,190,294 |
| Tier 3 | Willful neglect, corrected within 30 days of discovery | $14,602 – $73,011 | $2,190,294 |
| Tier 4 | Willful neglect, not corrected within 30 days | $73,011 | $2,190,294 |
These are the official statutory amounts published in the Federal Register, effective January 2026. In practice, OCR applies lower annual caps for Tiers 1 through 3 under a 2019 enforcement discretion policy that remains in effect, so real-world exposure in those tiers is well below the published maximum. Only Tier 4, willful neglect left uncorrected, regularly reaches the full $2,190,294.
Criminal penalties
Criminal violations are prosecuted by the Department of Justice under 42 U.S.C. § 1320d-6, not OCR.
A judge sets the fine and any prison term based on the facts of each case, and an offender who profited from the theft or disclosure may also have to return everything they received. The three criminal tiers are:
- Knowingly obtaining or disclosing PHI: up to $50,000 fine and/or up to 1 year imprisonment
- Obtaining PHI under false pretenses: up to $100,000 fine and/or up to 5 years imprisonment
- Obtaining or disclosing PHI with intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm: up to $250,000 fine and/or up to 10 years imprisonment
State attorneys general also have independent authority to bring civil actions on behalf of state residents for HIPAA violations, adding another layer of enforcement exposure. Several states, including California, New York and Texas, have pursued HIPAA-related actions under their own health privacy statutes.
How to Prevent HIPAA Violations
The enforcement cases above share a common thread: in almost every one, OCR found a safeguard that should have been in place and wasn’t.
That makes prevention less about predicting the next threat and more about closing the gaps investigators look for first.
The measures below map to the failures that appear most often in resolution agreements, from risk analysis through breach response, and they work best as layers rather than as a checklist completed once and set aside.
Conduct regular security evaluations
The Security Rule requires covered entities to perform a comprehensive, organization-wide risk analysis, and OCR treats a missing or incomplete one as the single most common failure it finds.
The mistake most organizations make is running it once at implementation and never going back.
A risk analysis only holds up if you refresh it whenever something changes, so plan on a formal security evaluation at least once a year and another whenever you add a system, a vendor, a communication channel or a workflow that touches ePHI.
Write down what you find, give each gap an owner and follow the fixes through until they are actually closed.
The review should reach every place ePHI lives, which in practice means your email platforms, collaboration tools and mobile devices, not just your clinical systems.
Implement technical safeguards
Encryption is the place to start, both at rest and in transit, because it is the one control that turns a lost laptop or an intercepted email into a non-event rather than a reportable breach.
From there, the safeguards that matter most are the ones that limit who can reach ePHI and how easily.
Multi-factor authentication on any system holding PHI stops a stolen password from becoming a full intrusion, and role-based access controls keep each employee inside the minimum necessary standard, so a billing clerk cannot pull up clinical notes they have no reason to see.
Automatic session timeouts on idle workstations close another common gap, the unattended screen in a shared space.
The harder part is keeping these controls consistent as the number of endpoints grows.
Telehealth, remote work and mobile access have pushed ePHI well past the office network, onto phones, home machines and connections you do not directly manage.
Endpoint security and remote-access policies need to reach all of them, because an investigator will judge your safeguards by the weakest device that touches patient data, not the best-protected one.
Train your workforce
Training is a HIPAA requirement at onboarding and at least once a year after that, but the organizations that get real value from it treat it as more than a box to check.
Generic compliance modules tend to wash over people because an abstract rule is easy to forget the moment someone is busy.
Training lands better when it shows what actually goes wrong and what it costs. The enforcement cases earlier in this article work well for exactly that, since a staff member who has seen what a snooping incident or a mishandled email led to for a real organization is far more likely to pause before making the same mistake.
It also helps to match the training to the job.
The front desk faces different risks than your IT administrators or billing teams, and a single one-size module rarely speaks to any of them well.
Tailoring the scenarios to each role makes the guidance concrete and easier to act on.
Whatever shape your program takes, document every session with attendance records. This is partly good practice and partly self-protection, because OCR will ask for that documentation during an investigation, and being able to show who was trained and when is often what separates a defensible position from a finding.
Establish communication compliance controls
Archive every channel that could carry PHI, which today means far more than email. Text messages, Teams and Slack threads, Zoom sessions and voicemail all fall in scope, and a gap in any one of them is a gap an investigator can find.
Set retention policies that meet HIPAA’s six-year minimum for covered entities, keep an audit trail of who accessed what and when, and make sure the whole archive can be searched and produced on demand rather than reconstructed under deadline.
This is the point where a dedicated healthcare communications archiving platform stops being a convenience and becomes part of your compliance posture. Jatheon Cloud captures and preserves communications across more than 25 channels in evidentiary-quality format, on WORM storage that can’t be altered after the fact, with role-based access spanning 60+ permission levels and retention policies you can enforce per channel.
Our AI assistant, Liya, lets a compliance officer query the archive in plain language and pull summaries directly from stored communications, while the AI-powered dashboard turns retention and access activity into reporting that holds up during an audit.
For a healthcare organization trying to show OCR that PHI is captured, retained and retrievable across every platform staff actually use, that combination closes the documentation, retention and compliance gaps that surface again and again in enforcement actions.
Develop and enforce a breach response plan
The Breach Notification Rule gives you 60 days from discovery to notify affected individuals and HHS when unsecured PHI is involved, and that clock starts whether or not you are ready for it.
The organizations that handle a breach well are the ones that decided how they would respond before anything happened.
Make sure staff know how to escalate a suspected violation the moment they spot it, since a delay at the front line eats into the same 60 days you need for everything else.
Name a breach response team, map out who does what and who notifies whom, and run through the plan in a tabletop exercise at least once a year so the gaps show up in practice rather than during a real incident.
OCR also weighs how an organization responded when it sets penalties, so a documented and tested process can mean the difference between a manageable outcome and a much larger one.
Conclusion
HIPAA enforcement has shifted in a way that should change how you think about risk.
OCR no longer waits for a catastrophic breach before it acts. Increasingly, it penalizes organizations for the gaps that made a breach possible in the first place, most often a risk analysis that was never done or never kept current. The cases in this guide ran from small clinics to large health systems and a business associate, and what tied them together was seldom a sophisticated attack. In case after case, the failing was a basic safeguard that should have been in place and simply wasn’t.
There is something reassuring in that pattern. The failures OCR penalizes tend to be preventable, and they yield to the same handful of measures applied consistently: a current risk analysis, working technical safeguards, trained staff, a compliant archive of every channel that carries PHI, and a breach response plan you have actually tested. None of this is exotic. The organizations that stay out of enforcement are usually the ones that treat compliance as ongoing work rather than a project they wrapped up years ago.
FAQ
What is the difference between a HIPAA violation and a HIPAA breach?
A HIPAA violation is any failure to comply with the Privacy, Security or Breach Notification Rules, such as a missing risk analysis, often with no patient data exposed at all. A breach is narrower and means the unauthorized access, use or disclosure of unsecured PHI. Every breach involves a violation, but many violations never become a breach, which is why OCR penalizes compliance gaps even when no patient information was exposed.
Can you go to jail for a HIPAA violation?
Yes. Criminal HIPAA cases are prosecuted by the Department of Justice and can carry up to ten years of imprisonment when someone obtains or discloses PHI with intent to sell it, transfer it or use it for personal gain. Lesser criminal tiers apply to knowingly obtaining or disclosing PHI and to acting under false pretenses, with shorter maximum terms and fines. Jail time is most common in cases of deliberate theft of patient data, often tied to identity fraud.
What should you do if you accidentally violate HIPAA?
Report it to your organization’s privacy or compliance officer as soon as you realize what happened, since prompt internal reporting is often what keeps a minor lapse from becoming a notification event. If the incident involves unsecured PHI and meets the definition of a breach, the Breach Notification Rule requires notice to affected individuals and HHS within 60 days of discovery. Acting quickly also matters because OCR weighs how an organization responded when it decides whether and how to penalize.
Who investigates and enforces HIPAA violations?
Civil enforcement sits with the HHS Office for Civil Rights, which investigates complaints, reviews reported breaches and issues settlements or civil money penalties. Criminal cases are referred to the Department of Justice. State attorneys general have separate authority to bring civil actions on behalf of their residents, and in large multi-state breaches, several may act together. So, a single incident can draw scrutiny from more than one of these at once.
How long do organizations need to retain HIPAA-related records?
Covered entities must keep documentation of their policies, procedures and compliance activities for at least six years, measured from the date a document was created or the date it was last in effect, whichever is later. This covers material such as risk analyses, training records, breach response documentation and access logs, all of which OCR may request during an investigation. State laws sometimes impose longer retention periods, so the six-year figure is a floor rather than a ceiling.
Read Next:Top 8 HIPAA Compliant Email Service Providers HIPAA Email Compliance and Archiving: What You Need to Know How to Simplify Regulatory Compliance with Smarter Data Management |










