In February 2024, OCR settled with a healthcare provider for $4.75 million after an investigation revealed systemic failures across nearly every major HIPAA requirement — from risk analysis to workforce training to access controls. The case wasn't exceptional. It was a textbook example of the violations OCR encounters most frequently. If your organization wants to avoid a similar outcome, you need a clear HIPAA violations list that maps directly to the regulatory failures OCR is actively pursuing.

A Practical HIPAA Violations List Based on OCR Enforcement Patterns

OCR doesn't publish a single canonical violations list, but its enforcement actions and annual reports to Congress reveal consistent patterns. The violations below aren't theoretical — they represent the compliance breakdowns that have triggered investigations, corrective action plans, and civil monetary penalties under 45 CFR Part 160 and Part 164.

Here is the comprehensive HIPAA violations list every covered entity and business associate should internalize:

  • Failure to conduct an organization-wide risk analysis — This is the single most cited violation in OCR settlements. The Security Rule at 45 CFR § 164.308(a)(1)(ii)(A) requires a thorough assessment of risks to electronic protected health information (ePHI). Most organizations either skip this entirely, perform it once and never update it, or limit it to IT systems while ignoring clinical workflows.
  • Impermissible uses and disclosures of PHI — The Privacy Rule restricts how protected health information can be used or shared. Common failures include staff accessing patient records without a treatment, payment, or operations purpose, and disclosing PHI to unauthorized individuals — including family members — without proper authorization.
  • Lack of minimum necessary controls — Under the minimum necessary standard (45 CFR § 164.502(b)), your organization must limit PHI access to only what's needed for a specific task. Giving every employee unrestricted access to the full medical record system is a clear violation.
  • Insufficient access controls on ePHI — Shared logins, absent multi-factor authentication, and failure to terminate access for former workforce members appear repeatedly in OCR enforcement actions. The Security Rule requires unique user identification and emergency access procedures at 45 CFR § 164.312(a).
  • Failure to provide timely breach notification — The Breach Notification Rule (45 CFR §§ 164.400-414) requires notification to affected individuals within 60 days of discovering a breach. Late notifications — or failing to notify at all — have resulted in significant penalties.
  • Missing or deficient Business Associate Agreements (BAAs) — Every business associate relationship must be governed by a written agreement that meets the requirements of 45 CFR § 164.502(e) and § 164.504(e). OCR has settled multiple cases where covered entities failed to execute BAAs with vendors handling PHI.
  • Failure to provide the Notice of Privacy Practices — Patients must receive your Notice of Privacy Practices at their first service encounter. Failing to maintain, distribute, or update this document violates 45 CFR § 164.520.
  • Inadequate workforce training — The Privacy Rule and Security Rule both require training for all workforce members. A one-time orientation video from 2015 does not satisfy this obligation. Training must be role-specific, documented, and ongoing.
  • Lack of encryption on portable devices — Lost or stolen laptops, USB drives, and mobile devices containing unencrypted ePHI account for a massive share of reported breaches. While encryption is addressable rather than required, failing to encrypt without a documented equivalent alternative exposes your organization to enforcement action.
  • Failure to manage and respond to security incidents — 45 CFR § 164.308(a)(6) requires policies and procedures for identifying, responding to, and mitigating security incidents. Organizations that lack an incident response plan often compound the original violation with delayed breach notification.

The Workforce Training Requirement Most Organizations Underestimate

Look at any HIPAA violations list and workforce training failures appear in nearly every major enforcement case — not as the headline violation, but as an aggravating factor that makes every other violation worse. OCR has consistently stated that an untrained workforce is a systemic risk, not just a policy gap.

Healthcare organizations consistently struggle with making training meaningful rather than performative. Checking a box once a year is not enough. Your workforce needs to understand how the Privacy Rule, Security Rule, and Breach Notification Rule apply to their daily responsibilities. This is exactly why investing in structured HIPAA training and certification is one of the highest-return compliance actions you can take.

Why Risk Analysis Tops Every HIPAA Violations List

Between 2016 and 2024, failure to perform a compliant risk analysis appeared in the majority of OCR resolution agreements. It is the foundational requirement of the Security Rule because every other safeguard — access controls, encryption decisions, contingency planning — depends on knowing where your risks are.

A compliant risk analysis under 45 CFR § 164.308(a)(1)(ii)(A) must be comprehensive, documented, and reviewed periodically. It must cover every system that creates, receives, maintains, or transmits ePHI. If your last risk analysis was a spreadsheet completed three years ago by a consultant who never returned, you have a problem OCR will find.

The Difference Between a Violation and an Investigation

Not every HIPAA violation results in a penalty. OCR uses a tiered enforcement framework that considers whether the violation was due to willful neglect, reasonable cause, or circumstances the entity did not know about. Penalties under 45 CFR § 160.404 range from $137 per violation (adjusted for inflation) to over $2 million per violation category per year.

But here's what matters in practice: OCR investigations are triggered by breach reports, patient complaints, and compliance reviews. Once an investigation begins, every item on this HIPAA violations list becomes a potential finding. Organizations that fix one problem often discover they have five more.

How to Use This HIPAA Violations List to Strengthen Your Program

Print this list. Walk through each item with your compliance officer and your IT security lead. For every violation category, ask three questions: Do we have a written policy? Is that policy implemented in practice? Can we prove it with documentation?

If the answer to any of those is no, you've identified your priority. OCR doesn't expect perfection — it expects a good-faith, documented, ongoing effort to comply.

Start with risk analysis and workforce training because they are force multipliers. A proper risk analysis tells you where to focus resources. Proper training reduces the human errors that cause most breaches. If your team hasn't completed current training, HIPAA Certify's workforce compliance program provides the structured, role-based education OCR expects to see documented in your files.

Don't Wait for an OCR Investigation to Find Your Gaps

Every item on this HIPAA violations list has appeared in real enforcement actions with real financial consequences. The organizations that avoid penalties aren't the ones with zero vulnerabilities — they're the ones that identified their gaps, documented their remediation, and trained their people before OCR came asking questions. Your compliance program should do the same.