HIPAA Violation Examples: What They Look Like and How to Avoid Them

Every time you onboard a new vendor, store patient data, or let your team handle PHI, you’re taking a bet on compliance. Most days, it feels like everything’s under control—until a breach happens. And when it does, it's rarely because someone intended to break the rules. It’s because no one realized they already had.

HIPAA violations don’t usually come from dramatic leaks or bad actors. They come from small, overlooked details—an unsecured laptop, a well-meaning social media post, a forgotten risk assessment. And the fines, lawsuits, and brand damage that follow don’t care if it was an accident.

This article is your reality check. We’re not here to list rules—we’re here to walk through the most common (and costly) HIPAA violation examples that real healthcare organizations, providers, and startups face. You’ll learn what actually went wrong, what HIPAA expects, and how to build systems that keep your data, your team, and your patients safe.

If you’re responsible for protecting patient information, leading a HealthTech product, or managing compliance in a fast-moving environment, these are the mistakes you can’t afford to make.

Let’s get into them.

Example #1. Unauthorized Access to Patient Records

One of the most common HIPAA violations occurs when employees access medical records without proper authorization. Whether it’s curiosity, personal gain, or a misunderstanding of HIPAA privacy rule protections, these actions violate HIPAA laws and patient trust.

In one highly publicized case, multiple hospital employees accessed Britney Spears’ patient records without a valid reason. Not only did this breach protected health information (PHI), it also triggered investigations from the Office for Civil Rights (OCR), the primary enforcement arm of the Department of Health and Human Services.

Under the HIPAA privacy rule, only those involved in treatment, payment, or healthcare operations should access PHI. To remain HIPAA compliant, healthcare organizations must implement access controls, audit logs, and role-based restrictions. Regular employee training can also prevent unintentional HIPAA violations by making sure staff understand their responsibilities.

Example #2. Improper Disposal of Medical Records

Throwing away old paper records or recycling old laptops might seem harmless—but if they contain individually identifiable health information, they must be securely destroyed.

Cornell Prescription Pharmacy learned this the hard way after dumping paper medical records into an unsecured dumpster, leading to a $125,000 fine. This violation of the HIPAA security rule put over 1,600 patients’ personal health records at risk.

HIPAA regulations require that covered entities use secure methods to dispose of physical and electronic protected health information (ePHI). That includes shredding documents, wiping hard drives, and ensuring all devices are properly decommissioned.

Example #3. Skipping Risk Assessments

A comprehensive, organization-wide risk analysis is a foundational requirement of the HIPAA Security Rule. Yet many healthcare organizations still skip or delay this critical step.

One insurer faced a $3 million penalty after OCR determined they hadn’t conducted a proper risk assessment, leaving critical security measures unaddressed. This risk analysis failure exposed electronic protected health information to potential compromise.

Regular risk assessments help organizations stay ahead of emerging threats and avoid HIPAA violation penalties. Risk management plans must be updated frequently, especially in today’s fast-moving healthcare industry.

Example #4. Inadequate Employee Training

Employees are often the first line of defense against HIPAA breaches—but only if they’re trained properly. In many cases, accidental HIPAA violations occur because staff don’t understand what constitutes a HIPAA breach or how to handle patient information.

Poor employee training has led to numerous HIPAA complaints and OCR investigations. In fact, Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for Calendar Year 2022 noted that employee errors remain a top contributor to reported violations, especially among healthcare providers expanding their digital infrastructure.

Training must be ongoing, role-specific, and compliant with current HIPAA standards. From front desk staff to developers, everyone handling PHI needs to understand their responsibilities.

Example #5. Data Breaches from Weak Security Controls

In today’s digital landscape, weak or outdated security measures are a leading cause of HIPAA breaches. Without password protection, multi-factor authentication, or proper encryption, ePHI is vulnerable to data breaches.

In 2022, a major healthcare provider experienced a breach that exposed the PHI of over 10 million patients. The root cause? Inadequate cybersecurity protections and the use of non-compliant systems.

The HIPAA Security Rule outlines technical, administrative, and physical safeguards that must be in place. Covered entities and business associates must stay ahead of these threats by performing vulnerability scans and keeping software and firewalls up to date.

Example #6. Delayed Breach Notifications

Under HIPAA’s breach notification rules, covered entities must report a breach of unsecured PHI within 60 days of discovery. Failure to notify affected individuals—and the Department of Health and Human Services—can compound penalties.

Delayed breach notifications are a common issue in HIPAA compliance. The HIPAA Journal notes that exceeding the 60-day deadline for issuing breach notifications is among the most frequent violations. The U.S. Department of Health and Human Services mandates that covered entities must notify the Secretary of breaches affecting 500 or more individuals without unreasonable delay and no later than 60 calendar days from the discovery of the breach. "

An effective plan must include clear procedures for breach reporting, documentation, and public communication. Some organizations have also implemented tools that help self-report HIPAA violations and track resolution steps.

Example #7. Sharing PHI Through Non-Secure Channels

Texting patient data or emailing lab results through unencrypted channels may seem convenient, but it violates HIPAA rules. PHI transmitted over unsecured systems can be intercepted, leading to unauthorized disclosure.

In one breach, over 11,000 dental patient files were exposed online due to non-compliant file-sharing tools. While HIPAA doesn’t mandate encryption, the security rule requires a documented reason if it’s not used.

To remain HIPAA compliant, healthcare providers must use encrypted messaging platforms and secure video conferencing tools for discussing patient information. These safeguards also reduce the risk of identity theft.

Example #8. Missing Business Associate Agreements (BAAs)

Vendors that handle PHI on behalf of a covered entity—such as billing firms, IT contractors, or cloud storage providers—are considered business associates under HIPAA law. Without a signed BAA in place, both parties are in violation.

OCR has issued enforcement actions for BAAs that were outdated, incomplete, or missing altogether. In a notable case, Care New England Health System agreed to a $400,000 settlement for failing to update its BAA with Women & Infants Hospital of Rhode Island, leading to the impermissible disclosure of PHI.

A business associate agreement must outline how PHI will be protected and what happens in the event of a data breach. Covered entities must ensure that every third-party partner complies with the HIPAA Security Rule, the Privacy Rule, and all applicable standards of the Health Insurance Portability and Accountability Act.

Example #9. Social Media HIPAA Violations

Even well-meaning posts can result in HIPAA complaints. Sharing images, replying to patient reviews, or discussing cases on social media can unintentionally expose protected health information.

In one example, a dental office received a fine after responding to a Yelp review with PHI. Despite good intentions, the response violated the patient’s privacy rights under federal law.

To avoid these violations, healthcare professionals must follow clear internal policies that prohibit sharing patient information online. This applies even when the patient’s name isn’t mentioned—if the post includes any individually identifiable health information, it may violate HIPAA standards.

Example #10. No Incident Response Plan

If a HIPAA breach occurs and your organization has no response plan in place, the consequences can spiral. OCR penalizes not just the breach itself but also the lack of preparation.

Under the HIPAA Security Rule, covered entities and business associates are required to implement policies and procedures to address security incidents. This includes identifying and responding to incidents, mitigating harmful effects, and documenting the outcomes.

The Office for Civil Rights (OCR) further underscores the importance of having a comprehensive incident response plan. In its Cyber Attack Checklist, OCR provides guidance on steps to take following a cyber-related security incident, highlighting the need for executing response and mitigation procedures and contingency plans.

Without them, covered entities and business associates risk additional penalties, negative media coverage, and loss of trust.

Final Thought: HIPAA Compliance Is an Ongoing Commitment

The Health Insurance Portability and Accountability Act (HIPAA) wasn’t designed to make healthcare harder—it was designed to protect patient privacy and make the healthcare system safer. But compliance takes effort, education, and infrastructure.

Whether you're part of a hospital system, a HealthTech startup, or a growing provider group, your ability to avoid HIPAA violations depends on proactive planning. Implement security measures. Train your team. Review your vendors. Run your risk assessments. Be ready for audits.

At Momentum, we work with digital health innovators to embed HIPAA compliance directly into their products and operations. If you’re building something that handles PHI, don’t leave privacy to chance—build it in from the beginning.