A Single Stolen Laptop Cost This Health System $3.9 Million
In 2018, the University of Rochester Medical Center (URMC) settled with the Office for Civil Rights (OCR) for $3 million after failing to encrypt mobile devices containing electronic protected health information (ePHI). They knew about the risk. They'd had a previous breach involving an unencrypted flash drive. They still didn't fix it.
If you've ever searched "what violates HIPPA" — and yes, the common misspelling is how most people type it — you're asking the right question. The actual acronym is HIPAA (Health Insurance Portability and Accountability Act), and what violates it can range from a casually unlocked computer screen to a systemic failure to train your workforce. I've spent years watching organizations get blindsided by violations they never saw coming.
This post breaks down the most common violations that trigger OCR investigations, the real fines attached to them, and what your organization can do starting today to stay on the right side of the law.
The Misspelling That Millions of People Search For
Before we dive in, let's clear something up. "HIPPA" is the most common misspelling of HIPAA in search engines. Whether you typed "what violates HIPPA" or "what violates HIPAA," the answer is the same. The law is the Health Insurance Portability and Accountability Act of 1996, and it's enforced by the U.S. Department of Health and Human Services (HHS) through OCR.
Now let's talk about what actually gets organizations in trouble.
What Violates HIPAA? The Seven Most Common Triggers
1. Failing to Perform a Risk Analysis
This is the violation I see more than any other. OCR has cited failure to conduct an organization-wide risk analysis in the majority of its major enforcement actions. The HIPAA Security Rule requires every covered entity and business associate to identify where ePHI lives, how it moves, and what threatens it.
Most organizations either skip this step entirely or do it once and never update it. Both approaches violate HIPAA.
2. Unauthorized Access to Patient Records
Snooping is real. I've seen front-desk staff pull up a neighbor's medical record out of curiosity. I've seen nurses look up celebrity patients. Every single instance is a HIPAA violation.
In 2017, Memorial Healthcare System paid $5.5 million after employees used login credentials to access PHI of 115,000 individuals without authorization. The access went on for over a year before anyone caught it.
3. Lack of Workforce Training
Your staff doesn't need to be HIPAA experts. But they do need to understand what PHI is, how to handle it, and what happens when they don't. The Privacy Rule requires training for every member of your workforce — not just clinicians, but billing staff, IT contractors, volunteers, and anyone else who touches PHI.
If you haven't trained your team recently, our HIPAA Introduction Training 2026 course covers exactly what your workforce needs to know.
4. Impermissible Disclosures of PHI
Sharing patient information without authorization — or without a valid exception under the Privacy Rule — is one of the most straightforward violations. This includes faxing records to the wrong number, emailing PHI to the wrong person, or discussing a patient's condition in a public hallway where others can overhear.
It also includes posting anything identifiable on social media. I've personally investigated cases where a staff member shared a photo from inside a treatment room that included a patient's chart in the background. That's a violation.
5. Failure to Provide Breach Notification
When a breach of unsecured PHI occurs, the HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases the media. The clock starts ticking the moment you discover the breach — or the moment you should have discovered it.
Missing these deadlines is itself a violation. Pretending a breach didn't happen is even worse. OCR has made it clear: the cover-up draws bigger penalties than the breach.
6. No Business Associate Agreement (BAA) in Place
If a third party handles PHI on your behalf — your cloud storage provider, your billing company, your shredding service — you need a signed Business Associate Agreement before they touch a single record. Operating without one violates the Privacy Rule and the Security Rule simultaneously.
I've reviewed organizations that had dozens of vendors accessing ePHI with no BAA in sight. Each missing agreement is a separate exposure point.
7. Not Implementing Access Controls
The Security Rule requires technical safeguards like unique user IDs, automatic logoff, and encryption. When everyone in the office shares one login, or when terminated employees still have active credentials, you've violated HIPAA.
The $1.9 Million Lesson Most Dental Offices Haven't Learned Yet
Small practices aren't exempt. In fact, OCR has increasingly targeted smaller covered entities to send a message. In 2019, a dental practice management company, Dental Associates, faced an OCR investigation after a breach revealed widespread compliance gaps. The settlement wasn't about the breach itself — it was about the systemic failures underneath it.
Small covered entities often assume HIPAA enforcement only targets hospitals and insurance companies. That assumption is dangerous. OCR's enforcement actions over the past several years show a clear pattern: no organization is too small to investigate.
Quick Answer: What Are the Most Common HIPAA Violations?
The most common HIPAA violations include failing to perform a security risk analysis, unauthorized access to PHI (snooping), lack of workforce training, impermissible disclosures of patient information, failure to issue timely breach notifications, missing Business Associate Agreements, and inadequate access controls on systems containing ePHI. Any of these can trigger an OCR investigation and result in fines ranging from $100 to over $2 million per violation category per year.
What Happens When OCR Comes Knocking
Most OCR investigations start with a complaint. A patient files one. A former employee files one. Sometimes a breach report triggers the review. Here's what I've seen happen next:
- Document requests: OCR asks for your risk analysis, training records, policies and procedures, BAAs, and breach logs. If you can't produce them, that itself becomes evidence of noncompliance.
- Interviews: OCR may interview staff to determine whether they understand HIPAA requirements. Untrained employees give answers that make compliance officers lose sleep.
- Corrective Action Plans: Even if you avoid a financial penalty, OCR can impose a multi-year corrective action plan that dictates how you run your compliance program. These are expensive, disruptive, and public.
- Civil Monetary Penalties: Under the HITECH Act's penalty tiers, fines can reach $2,067,813 per violation category per year. The HHS adjusts these annually for inflation.
The penalties are structured in four tiers based on the level of culpability, from "did not know" to "willful neglect — not corrected." You can review the full penalty structure on the HHS penalty information page.
Three Things You Can Do This Week
Run a Risk Analysis (or Update Your Existing One)
If your last risk analysis is more than 12 months old — or if you've never done one — this is your highest priority. Document every system, device, and workflow that touches ePHI. Identify threats. Assign risk levels. Create a remediation plan with deadlines.
Train Every Member of Your Workforce
Annual training isn't just a best practice. It's a regulatory expectation. New hires should complete training before they access any PHI. And the training must be documented. Our HIPAA training catalog offers courses designed specifically for covered entities and business associates looking to meet this requirement.
Audit Your Business Associate Agreements
Pull a list of every vendor that accesses, stores, transmits, or disposes of PHI on your behalf. Check each one for a current, signed BAA. If any are missing, get them signed immediately — or find a new vendor.
The Real Cost Isn't the Fine
I've talked to practice managers and compliance officers who fixate on the dollar amount of OCR settlements. Those numbers are significant. But the real damage is reputational. When your organization appears on the HHS Breach Portal — sometimes called the "Wall of Shame" — patients notice. Referral partners notice. Your board notices.
Understanding what violates HIPAA isn't about memorizing regulations. It's about building a culture where PHI protection is second nature. That starts with leadership commitment, continues with consistent training, and sustains through regular audits and honest self-assessment.
Every organization I've worked with that takes compliance seriously has one thing in common: they treat HIPAA not as a checkbox, but as a patient promise. Your patients trust you with their most sensitive information. The law simply makes sure you earn that trust every single day.