In February 2023, OCR settled with Banner Health for $1.25 million after a breach affected nearly 3 million patients — the result of insufficient access controls and a failure to conduct an adequate risk analysis. It's one of the most visible answers to the question healthcare professionals keep asking: what is a violation of HIPAA, and how do organizations end up on the wrong side of enforcement?

Having worked with covered entities and business associates navigating these exact scenarios, I can tell you that most violations don't stem from malicious intent. They stem from gaps in training, documentation, and follow-through that compound over time.

What Is a Violation of HIPAA Under Federal Law?

A HIPAA violation occurs when a covered entity or business associate fails to comply with any provision of the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule as codified in 45 CFR Part 164. That includes failures to safeguard protected health information (PHI), failures to provide patients with access to their records, and failures to notify individuals after a breach.

OCR — the Office for Civil Rights within HHS — is the primary enforcement body. Violations can be discovered through patient complaints, breach reports, or compliance audits. Penalties range from $100 per violation for unknowing infractions up to $50,000 per violation for willful neglect, with annual caps reaching $1.5 million per violation category under the penalty tiers established by the HITECH Act and updated by the Omnibus Rule.

The Most Common HIPAA Violations OCR Pursues

OCR's enforcement actions reveal clear patterns. These are the violations that show up repeatedly in resolution agreements and civil money penalties.

Failure to Perform a Risk Analysis

The Security Rule at 45 CFR §164.308(a)(1)(ii)(A) requires every covered entity and business associate to conduct an accurate and thorough risk analysis. This is the single most cited deficiency in OCR investigations. If your organization hasn't performed a comprehensive risk analysis — or hasn't updated it after significant changes to your environment — you're already in violation.

Unauthorized Access to PHI

Snooping in medical records is a textbook violation. When workforce members access patient records without a treatment, payment, or operations purpose, it violates the minimum necessary standard under the Privacy Rule. In 2022, a nurse at a New York hospital was terminated and reported to OCR after accessing celebrity patient records — an incident the organization was obligated to investigate and potentially report.

Failure to Provide Patient Access

Under 45 CFR §164.524, patients have the right to access their own PHI. OCR launched its HIPAA Right of Access Initiative in 2019 and has since settled more than 45 cases involving providers who failed to deliver records within 30 days or charged unreasonable fees. Penalties in these cases have ranged from $3,500 to $240,000.

Lack of a Business Associate Agreement

Every relationship with a business associate that involves access to PHI must be governed by a written business associate agreement (BAA). Sharing PHI with a vendor — a cloud storage provider, billing company, or IT contractor — without a BAA in place is a violation, full stop.

Improper Disposal of PHI

Paper records left in dumpsters, hard drives donated without being wiped, old servers sold on eBay — OCR has pursued enforcement actions in all these scenarios. Filefax Inc. paid $100,000 in 2015 for dumping medical records in an unsecured location. Your organization needs documented disposal policies that cover both physical and electronic media.

Workforce Mistakes That Trigger HIPAA Violations

Healthcare organizations consistently struggle with the human side of compliance. The most expensive breach is often the one caused by an untrained employee.

  • Texting PHI on personal devices without encryption or organizational authorization
  • Emailing patient information to the wrong recipient and failing to report the incident
  • Discussing patient cases in public areas, elevators, or cafeterias where unauthorized individuals can overhear
  • Sharing login credentials across team members, undermining audit controls required by the Security Rule
  • Posting on social media about patients — even without using names, if the patient is identifiable from context

Every one of these scenarios constitutes a potential violation. And under HIPAA, your organization — not just the individual — bears responsibility for ensuring your workforce understands the rules.

The Workforce Training Requirement Most Organizations Underestimate

The Privacy Rule at 45 CFR §164.530(b) requires that all workforce members receive HIPAA training. The Security Rule at 45 CFR §164.308(a)(5) adds security awareness training. Yet many organizations treat training as a one-time checkbox exercise during onboarding and never revisit it.

OCR expects training to be ongoing and relevant to each workforce member's role. A front-desk receptionist handling intake forms faces different risks than a systems administrator managing your EHR. Generic annual slide decks don't meet the standard when OCR comes asking for your training documentation.

Investing in comprehensive HIPAA training and certification ensures your workforce understands what is a violation of HIPAA in practical, everyday terms — not just abstract regulatory language.

How to Protect Your Organization From HIPAA Violations

Compliance isn't a project with a finish line. It's an ongoing operational requirement. Here's where your covered entity should focus:

  • Conduct and document a risk analysis annually — and whenever you adopt new technology, change vendors, or experience a security incident.
  • Implement access controls based on the minimum necessary standard. Not every employee needs access to every record.
  • Execute BAAs with every business associate before sharing any PHI. Audit existing vendor relationships for gaps.
  • Update your Notice of Privacy Practices to reflect current uses, disclosures, and patient rights — especially ahead of expected rulemaking changes in 2024-2025.
  • Document everything: training records, policy updates, risk analysis results, incident investigations. OCR evaluates what you can prove, not what you intended.

Penalties Are Escalating — Compliance Can't Wait

In fiscal year 2022, OCR collected over $2 million in HIPAA penalties. But the financial exposure extends beyond OCR fines. State attorneys general can bring independent enforcement actions under the HITECH Act. Class-action lawsuits following breaches routinely result in multimillion-dollar settlements. And the reputational damage to a healthcare organization can outlast any penalty.

Understanding what is a violation of HIPAA is the foundation. But knowledge without action creates liability. Your organization needs documented policies, trained staff, and a compliance program that can withstand scrutiny.

If you're ready to close the gaps in your compliance posture, HIPAA Certify's workforce compliance platform gives your team the tools to train, certify, and document — exactly the way OCR expects to see it done.