In February 2023, OCR announced a $1.3 million settlement with Banner Health after a hacking incident exposed the protected health information of nearly 3 million individuals. The root cause wasn't sophisticated malware — it was the failure to conduct an adequate enterprise-wide risk analysis. If you've ever asked what are examples of HIPAA violations, this case alone illustrates how foundational security failures translate into massive regulatory consequences.

Healthcare organizations consistently underestimate how many different ways a HIPAA violation can occur. Violations aren't limited to hackers and data breaches. They span everyday workforce behaviors, administrative oversights, and vendor management failures that OCR investigates every single day.

What Are Examples of HIPAA Violations OCR Actually Enforces?

OCR's enforcement actions provide the clearest picture of what constitutes a real-world HIPAA violation. These cases fall into recognizable patterns that every covered entity and business associate should study closely.

Failure to Perform a Risk Analysis

Under the Security Rule (45 CFR § 164.308(a)(1)), organizations must conduct a thorough and accurate risk analysis of potential vulnerabilities to electronic PHI. This is the single most cited deficiency in OCR settlements.

In 2018, Anthem Inc. paid $16 million — the largest HIPAA settlement in history — after a breach affecting 78.8 million people. OCR found that Anthem had failed to conduct an enterprise-wide risk analysis prior to the breach. Your organization cannot treat risk analysis as a one-time checkbox; it must be ongoing and comprehensive.

Impermissible Disclosures of PHI

The Privacy Rule (45 CFR § 164.502) restricts uses and disclosures of protected health information to the minimum necessary standard. Violations in this category are staggeringly common.

In one notable case, a hospital employee accessed and disclosed patient records of a family member involved in a custody dispute. In another, a provider's front desk staff discussed a patient's diagnosis in a public waiting area. These aren't edge cases — they are the kinds of impermissible disclosures OCR investigates routinely after individual complaints.

Lack of Workforce Training

45 CFR § 164.530(b) requires that covered entities train all workforce members on policies and procedures related to PHI. OCR has settled multiple cases where organizations simply could not demonstrate that training occurred.

In my work with covered entities, I've seen organizations assume that onboarding orientation covers HIPAA sufficiently. It rarely does. If you cannot produce documentation showing that every workforce member received role-appropriate training, you have an active compliance gap. Investing in a structured HIPAA training and certification program is one of the most cost-effective steps any organization can take to reduce violation risk.

Failure to Provide Access to Medical Records

Under the Privacy Rule's right of access provision (45 CFR § 164.524), patients have the right to obtain copies of their medical records. OCR launched a formal Right of Access Initiative in 2019 and has since settled over 45 cases involving providers who delayed or denied patient access.

Penalties in these cases have ranged from $3,500 to $240,000. Some involved providers simply ignoring repeated patient requests for months. Your organization needs a documented, time-bound process for responding to every access request within 30 days — or 60 days with a written extension.

Missing or Deficient Business Associate Agreements

The Omnibus Rule reinforced that covered entities must execute business associate agreements (BAAs) with every vendor that creates, receives, maintains, or transmits PHI on their behalf. Operating without a BAA is itself a HIPAA violation, regardless of whether a breach occurs.

OCR fined Raleigh Orthopaedic Clinic $750,000 in 2016 for handing over X-rays containing PHI to a third-party vendor without a BAA in place. If your vendor relationships haven't been audited for BAA coverage recently, this is a vulnerability waiting to be discovered.

Insufficient Breach Notification

The Breach Notification Rule (45 CFR §§ 164.400–414) requires covered entities to notify affected individuals, HHS, and in some cases the media, within 60 days of discovering a breach involving unsecured PHI. Late or incomplete notification is a separate, compounding violation.

Presence Health paid $475,000 in 2017 specifically because it waited over a month past the deadline to notify affected individuals after paper records containing PHI were found missing.

The Violations You Don't Hear About: Everyday Compliance Failures

High-profile settlements grab headlines, but the majority of HIPAA violations never result in public enforcement actions. They occur quietly inside organizations every day:

  • Texting PHI on personal devices without encryption or authorization
  • Sharing login credentials among staff to access EHR systems
  • Disposing of paper records in regular trash instead of shredding
  • Emailing PHI to the wrong recipient without encryption safeguards
  • Posting patient photos or identifiable information on social media
  • Failing to update the Notice of Privacy Practices when policies change

Each of these constitutes a potential HIPAA violation under the Privacy Rule or Security Rule. Many only surface during OCR investigations triggered by unrelated complaints or breach reports — at which point the organization faces scrutiny across its entire compliance posture.

How to Protect Your Organization From Common HIPAA Violations

Avoiding these violations requires more than good intentions. It requires documented, demonstrable compliance activities.

Conduct annual risk analyses. Not a gap assessment. Not a checklist. A proper risk analysis aligned with NIST SP 800-30 methodology that identifies threats, vulnerabilities, and likelihood of harm to electronic PHI.

Train every workforce member — and document it. This includes employees, volunteers, trainees, and contractors. Role-based training ensures that clinical staff, administrative personnel, and IT teams each understand the specific HIPAA requirements relevant to their functions. A comprehensive workforce HIPAA compliance platform can streamline this process and produce the audit-ready records OCR expects to see.

Audit your business associate relationships. Ensure every vendor with access to PHI has a current, signed BAA. Review these agreements annually, especially when service scopes change.

Implement and enforce sanctions. 45 CFR § 164.530(e) requires that covered entities apply appropriate sanctions against workforce members who violate HIPAA policies. If your sanction policy exists only on paper, it offers no real deterrent.

The Cost of Ignoring Violation Patterns

OCR's enforcement statistics tell a clear story. Between April 2003 and December 2023, HHS resolved over 340,000 HIPAA complaints and imposed over $142 million in civil monetary penalties and settlements. The patterns are consistent: risk analysis failures, workforce training gaps, access violations, and impermissible disclosures dominate the case record.

Understanding what are examples of HIPAA violations is the first step. The organizations that avoid enforcement actions are the ones that study these patterns, implement controls proactively, and build a culture where compliance is operational — not aspirational. Your covered entity's next OCR interaction shouldn't be the moment you discover your gaps.