In February 2023, OCR settled with Banner Health for $1.25 million after a phishing attack exposed the protected health information of nearly 3 million individuals. The root cause wasn't sophisticated hacking — it was a workforce member clicking a malicious link in an organization that had failed to conduct an adequate risk analysis. If you've ever asked what's a HIPAA violation, this case is a textbook answer: any failure to comply with the Privacy, Security, or Breach Notification Rules under 45 CFR Part 164 that compromises the confidentiality, integrity, or availability of PHI.

But the scope of what constitutes a violation is far wider than most healthcare organizations realize. Let me break it down.

What's a HIPAA Violation at Its Core?

A HIPAA violation occurs when a covered entity or business associate fails to meet any standard or implementation specification set out in the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule. It doesn't require malicious intent. Negligence, ignorance, and even well-meaning mistakes all count.

OCR investigates violations triggered by individual complaints, breach reports, and compliance reviews. Between 2003 and 2024, OCR resolved over 340,000 cases — and the agency has collected more than $142 million in settlements and civil monetary penalties.

The Most Common Types of HIPAA Violations

In my work with covered entities of every size, the same categories of violations surface again and again. Here are the ones that generate the most OCR enforcement actions.

Failure to Perform a Risk Analysis

The Security Rule at 45 CFR § 164.308(a)(1)(ii)(A) requires every covered entity and business associate to conduct a thorough risk analysis of potential threats to electronic PHI. This single requirement appears in more OCR settlement agreements than any other. If your organization hasn't documented a current, comprehensive risk analysis, you are almost certainly in violation.

Unauthorized Access or Disclosure of PHI

Snooping in patient records, sharing protected health information without authorization, or failing to apply the minimum necessary standard when using or disclosing PHI — these are the violations OCR hears about most through individual complaints. A workforce member accessing a celebrity's medical record or a staff member texting patient details to a personal phone both qualify.

Missing or Inadequate Business Associate Agreements

Since the Omnibus Rule took effect in 2013, business associates are directly liable for HIPAA compliance. Yet organizations still share PHI with vendors — cloud providers, billing companies, IT contractors — without signed business associate agreements. Every instance is a separate violation.

Insufficient Workforce Training

The Privacy Rule at 45 CFR § 164.530(b) and Security Rule at 45 CFR § 164.308(a)(5) both mandate workforce training on HIPAA policies. OCR doesn't accept "we told them during orientation" as evidence of compliance. Your workforce needs documented, role-based training — and refresher education when policies change. A structured HIPAA training and certification program is the most reliable way to meet this requirement and build a defensible compliance record.

Failure to Provide a Notice of Privacy Practices

Every covered entity that provides direct treatment must give patients a Notice of Privacy Practices explaining how their PHI will be used. Failing to maintain or distribute this notice — or using an outdated version — is a violation many small practices don't catch until OCR comes knocking.

HIPAA Violation Penalty Tiers You Need to Know

OCR applies a four-tier penalty structure established by the HITECH Act and updated through inflation adjustments. As of 2024, the tiers are:

  • Tier 1 — Lack of Knowledge: $137 to $68,928 per violation
  • Tier 2 — Reasonable Cause: $1,379 to $68,928 per violation
  • Tier 3 — Willful Neglect (Corrected): $13,785 to $68,928 per violation
  • Tier 4 — Willful Neglect (Not Corrected): $68,928 to $2,067,813 per violation

Annual caps for each tier can reach over $2 million. For identical violations occurring over multiple years, total liability compounds rapidly. Criminal violations — such as intentional theft of PHI — carry penalties of up to $250,000 and ten years in prison under 42 U.S.C. § 1320d-6.

Real OCR Enforcement Actions That Illustrate the Risk

Numbers on a penalty table don't convey the operational damage. Consider these cases:

  • Premera Blue Cross (2020): $6.85 million settlement for failing to conduct an enterprise-wide risk analysis, resulting in a breach affecting over 10.4 million people.
  • Hacking incidents at small practices: OCR's 2022 initiative specifically targeted small covered entities that failed to provide HIPAA-compliant breach notifications within the required 60-day window under 45 CFR § 164.404.
  • Right of Access Initiative: Since 2019, OCR has settled over 45 cases where organizations failed to provide patients timely access to their own medical records — with penalties ranging from $3,500 to $240,000.

These aren't edge cases. They represent the everyday compliance gaps that put your organization at risk.

How to Protect Your Organization from a HIPAA Violation

Prevention requires systematic effort, not one-time projects. Here's where to focus your compliance energy:

  • Conduct and document a risk analysis annually — and whenever significant changes occur in your environment.
  • Implement role-based workforce training that covers the Privacy Rule, Security Rule, and your internal policies. Document completion dates and test comprehension.
  • Audit your business associate agreements at least once a year. Every vendor touching PHI needs a current, signed agreement.
  • Establish a breach response plan that meets the Breach Notification Rule's 60-day deadline for individual notification and 60-day deadline for reporting to OCR when 500 or more individuals are affected.
  • Enforce the minimum necessary standard in every workflow that involves PHI access, use, or disclosure.

Building a culture of compliance starts with giving your workforce the knowledge they need. HIPAA Certify's workforce compliance platform helps organizations document training, track certification, and demonstrate compliance readiness if OCR ever opens an investigation.

The Bottom Line for Your Covered Entity

Understanding what's a HIPAA violation isn't an academic exercise — it's the foundation of every compliance decision your organization makes. OCR's enforcement posture has only intensified, with breach investigations now routinely examining whether organizations had adequate safeguards before an incident occurred. The organizations that survive scrutiny are the ones that invested in documented risk analyses, current policies, and verified workforce training long before a complaint was filed.

Don't wait for an OCR letter to find out where your gaps are. Act now, train your workforce, and close the compliance holes that turn everyday mistakes into six-figure penalties.