The most common HIPAA violation is the impermissible use or disclosure of protected health information (PHI). This has consistently topped the list of complaints investigated by the U.S. Department of Health and Human Services since HIPAA’s compliance date. It covers any situation where someone’s medical information is shared, accessed, or used without proper authorization or a valid legal reason.
The Top Five Violation Categories
HHS tracks complaint data cumulatively and ranks the most frequent compliance issues. As of September 2024, these are the top five categories in order of frequency:
- Impermissible uses and disclosures of PHI
- Lack of safeguards for PHI
- Lack of patient access to their own PHI
- Lack of administrative safeguards for electronic PHI
- Using or disclosing more PHI than necessary
These categories overlap in practice. A hospital employee who looks up a celebrity’s medical chart, for instance, commits an impermissible use. But the hospital that failed to restrict access to that chart also failed to maintain proper safeguards. A single incident can trigger violations across multiple categories.
What “Impermissible Use or Disclosure” Looks Like
This category is broad. It includes a staff member sharing a patient’s diagnosis with a coworker who has no treatment role, a clinic mailing records to the wrong address, or a provider discussing a patient’s condition in a public hallway where others can overhear. It also covers situations where health information is shared with an employer, a family member, or a third party without the patient’s written authorization.
One of the fastest-growing sources of impermissible disclosures is social media. A photo snapped in a treatment room can become a HIPAA violation the moment it’s uploaded if it reveals any health information, even unintentionally. A computer screen with patient data visible in the background counts. A picture of a patient’s injury counts if the person can be identified from tattoos, room numbers, or other contextual details, even if no name is attached.
In 2015, California’s Board of Registered Nursing revoked a nurse’s license after she posted images of a patient’s surgical wounds on Instagram. The patient wasn’t named, but identifying tattoos and a visible room number made identification possible. In 2019, Elite Dental Associates was fined $10,000 for disclosing a patient’s name, health condition, treatment plan, and insurance details while responding to a negative online review. Even when a patient posts something positive about their care, that does not give providers authorization to comment publicly about treating them.
Failing to Give Patients Their Own Records
The third most common violation category, denying patients timely access to their health records, has drawn aggressive enforcement in recent years. HHS launched its Right of Access Initiative specifically to address this problem and has settled at least 19 enforcement actions under the program. Fines in these cases have been relatively modest (one clinic paid $5,000), but they signal that the government treats delayed or denied record requests as a serious compliance failure, not a minor administrative hiccup.
Under HIPAA’s Privacy Rule, you’re entitled to a copy of your medical records, and the provider generally must respond within 30 days. Violations in this category often involve clinics that simply ignore requests, charge unreasonable fees, or drag the process out for months.
Lack of Safeguards
The second and fourth most common categories both involve insufficient safeguards, one for physical records and one for electronic systems. Together, they capture a huge range of failures: unlocked filing cabinets, unencrypted laptops, staff accounts without proper access controls, and missing audit logs that would track who viewed what.
Electronic safeguards get particular attention because the consequences of a digital breach scale quickly. A stolen unencrypted laptop with thousands of patient records creates far more exposure than a single misfiled paper chart. Organizations covered by HIPAA are expected to conduct regular risk assessments, implement access controls, and train employees on handling electronic health information securely.
The “Minimum Necessary” Rule
The fifth most common violation involves sharing more information than needed. HIPAA’s “minimum necessary” standard requires that when PHI is used or disclosed, only the smallest amount of information needed to accomplish the purpose should be shared. A billing department processing a claim doesn’t need a patient’s full psychiatric history. A referral to a specialist shouldn’t include unrelated lab results from five years ago.
This rule trips up organizations that use broad, default access settings or that copy entire medical files when only a portion is relevant. It’s less dramatic than a data breach but far more common in day-to-day operations.
What Penalties Look Like
HIPAA penalties are structured in four tiers based on how culpable the organization was. The 2024 inflation-adjusted amounts are:
- Tier 1 (didn’t know about the violation): $141 to $71,162 per violation, capped at roughly $2.13 million per calendar year
- Tier 2 (reasonable cause, not willful neglect): $1,424 to $71,162 per violation, same annual cap
- Tier 3 (willful neglect, but corrected within 30 days): $14,232 to $71,162 per violation, same annual cap
- Tier 4 (willful neglect, not corrected): $71,162 to $2,134,831 per violation, same annual cap
The jump between tiers is dramatic. An organization that genuinely didn’t know about a problem might pay as little as $141 per violation. One that knew and did nothing faces a minimum of $71,162 per violation, with annual exposure exceeding $2 million. Most enforcement actions settle for amounts well below the maximum, but multi-million-dollar penalties do happen in cases involving large-scale breaches or prolonged noncompliance.
Breach Notification Requirements
When a violation results in an actual breach of unsecured PHI, HIPAA triggers a set of notification requirements that carry their own penalties if ignored. The organization must notify every affected individual within 60 days of discovering the breach. If the breach affects 500 or more people in a single state, the organization must also notify prominent media outlets in that area within the same 60-day window. Breaches of 500 or more individuals also require direct notification to HHS within 60 days.
Smaller breaches (under 500 individuals) still require notification to affected individuals and to HHS, though the HHS report can be submitted annually rather than within 60 days. Failing to follow these notification rules is itself a separate HIPAA violation, which means an organization that mishandles a breach can face penalties both for the original incident and for the inadequate response.