What are some common examples of HIPAA violations?

Frequent examples fall into a handful of categories: impermissible use or disclosure of protected health information, such as sending records to the wrong person; failing to conduct or document a Security Rule risk analysis; letting a vendor handle PHI without a signed business associate agreement; losing an unencrypted laptop or phone that holds ePHI; employees snooping in records they have no work reason to see; denying patients timely access to their own records; and improper disposal of paper or electronic PHI. These are categories, not allegations about any specific organization.

How do I report a HIPAA violation?

File a complaint with the HHS Office for Civil Rights (OCR), the federal agency that enforces HIPAA. Anyone can file against a covered entity or business associate through the OCR Complaint Portal. Describe the organization, what happened, when it happened, and how you believe the Privacy, Security, or Breach Notification Rules were violated. If you are a patient or employee, raising the issue with the organization's Privacy Officer first is often the quickest path to a fix, but it is not required before going to OCR.

Is there a deadline to report a HIPAA violation?

Yes. A complaint to OCR must generally be filed within 180 days of when you knew, or should have known, that the act or omission complained of occurred. OCR may extend the deadline for good cause, but the safest approach is to file as soon as you can after you become aware of the issue.

Can I report a HIPAA violation anonymously?

You can file a complaint without giving your name, but OCR cannot contact you for follow-up details if you do, which can limit how far an investigation proceeds. There are also protections against retaliation for individuals who file a complaint or cooperate with an investigation. Whether to file by name is a personal decision based on your situation.

What are the penalties for a HIPAA violation?

Civil penalties are tiered by culpability, from a violation the entity did not know about and could not reasonably have known about, up to willful neglect that was not corrected. Each tier carries its own per-violation amount and annual cap, and OCR adjusts those figures for inflation each year. The most serious knowing misuse of PHI can also be prosecuted criminally by the Department of Justice. Always check current HHS guidance for the live dollar figures, since they change annually.

What happens after a HIPAA complaint is filed?

OCR first reviews the complaint to confirm it has jurisdiction and that it was filed in time. If OCR opens an investigation, it gathers information from the organization and may resolve the matter through voluntary compliance, technical assistance, or a corrective action plan. For serious findings, OCR can impose a civil money penalty, and it may refer knowing criminal violations to the Department of Justice. Many investigations end without a penalty when the organization corrects the issue.

What is the difference between a HIPAA violation and a breach?

A violation is any failure to comply with a HIPAA rule. A breach is a specific kind of violation: the acquisition, access, use, or disclosure of unsecured PHI in a way the Privacy Rule does not permit, which compromises the security or privacy of that information. A breach of unsecured PHI triggers the Breach Notification Rule, which requires notifying affected individuals and HHS, and sometimes the media. Not every violation is a breach, but many breaches are also violations.

How can an organization prevent HIPAA violations?

Most of the common categories trace back to a few controls: a documented and current Security Rule risk analysis, business associate agreements with every vendor that touches PHI, encryption on portable devices, access controls and audit logging to catch snooping, a working patient right-of-access process, and secure disposal of paper and electronic media. Running these as one managed program, with a timestamped evidence trail, is far more defensible than tracking them across spreadsheets. See our HIPAA compliance assessment software for how that works.

What are some common examples of HIPAA violations?

Frequent examples fall into a handful of categories: impermissible use or disclosure of protected health information, such as sending records to the wrong person; failing to conduct or document a Security Rule risk analysis; letting a vendor handle PHI without a signed business associate agreement; losing an unencrypted laptop or phone that holds ePHI; employees snooping in records they have no work reason to see; denying patients timely access to their own records; and improper disposal of paper or electronic PHI. These are categories, not allegations about any specific organization.

How do I report a HIPAA violation?

File a complaint with the HHS Office for Civil Rights (OCR), the federal agency that enforces HIPAA. Anyone can file against a covered entity or business associate through the OCR Complaint Portal. Describe the organization, what happened, when it happened, and how you believe the Privacy, Security, or Breach Notification Rules were violated. If you are a patient or employee, raising the issue with the organization's Privacy Officer first is often the quickest path to a fix, but it is not required before going to OCR.

Is there a deadline to report a HIPAA violation?

Yes. A complaint to OCR must generally be filed within 180 days of when you knew, or should have known, that the act or omission complained of occurred. OCR may extend the deadline for good cause, but the safest approach is to file as soon as you can after you become aware of the issue.

Can I report a HIPAA violation anonymously?

You can file a complaint without giving your name, but OCR cannot contact you for follow-up details if you do, which can limit how far an investigation proceeds. There are also protections against retaliation for individuals who file a complaint or cooperate with an investigation. Whether to file by name is a personal decision based on your situation.

What are the penalties for a HIPAA violation?

Civil penalties are tiered by culpability, from a violation the entity did not know about and could not reasonably have known about, up to willful neglect that was not corrected. Each tier carries its own per-violation amount and annual cap, and OCR adjusts those figures for inflation each year. The most serious knowing misuse of PHI can also be prosecuted criminally by the Department of Justice. Always check current HHS guidance for the live dollar figures, since they change annually.

What happens after a HIPAA complaint is filed?

OCR first reviews the complaint to confirm it has jurisdiction and that it was filed in time. If OCR opens an investigation, it gathers information from the organization and may resolve the matter through voluntary compliance, technical assistance, or a corrective action plan. For serious findings, OCR can impose a civil money penalty, and it may refer knowing criminal violations to the Department of Justice. Many investigations end without a penalty when the organization corrects the issue.

What is the difference between a HIPAA violation and a breach?

A violation is any failure to comply with a HIPAA rule. A breach is a specific kind of violation: the acquisition, access, use, or disclosure of unsecured PHI in a way the Privacy Rule does not permit, which compromises the security or privacy of that information. A breach of unsecured PHI triggers the Breach Notification Rule, which requires notifying affected individuals and HHS, and sometimes the media. Not every violation is a breach, but many breaches are also violations.

How can an organization prevent HIPAA violations?

Most of the common categories trace back to a few controls: a documented and current Security Rule risk analysis, business associate agreements with every vendor that touches PHI, encryption on portable devices, access controls and audit logging to catch snooping, a working patient right-of-access process, and secure disposal of paper and electronic media. Running these as one managed program, with a timestamped evidence trail, is far more defensible than tracking them across spreadsheets. See our HIPAA compliance assessment software for how that works.

HIPAA explainer

HIPAA violations: examples and how to report one

Common HIPAA violation examples by category, from impermissible PHI disclosure to missing risk analysis and lost devices, the civil penalty tiers in plain terms, and how to report a HIPAA violation through the HHS OCR complaint process.

See HIPAA compliance software What is HIPAA?

The short version

What counts as a HIPAA violation?

A HIPAA violation is any failure by a covered entity or business associate to comply with the HIPAA Privacy, Security, or Breach Notification Rules. In practice, violations cluster into a few recurring categories: protected health information (PHI) going to the wrong place, a missing risk analysis, a vendor with no business associate agreement, an unencrypted device walking out the door, an employee viewing records they have no reason to see, a patient denied access to their own chart, and records thrown out without secure disposal. The examples below are described as categories, not as claims about any specific organization.

New to the law itself? Start with our overview of what HIPAA is, then come back here for what goes wrong and how the regulator handles it.

Updated June 2026. General educational guidance, not legal advice.

Common HIPAA violation examples, by category

Most enforcement activity and most real-world incidents fall into the categories below. Each names the situation in plain terms and the rule it touches.

Impermissible use or disclosure of PHI

Sharing protected health information with someone who is not authorized to see it, or for a purpose HIPAA does not permit. This is the most common category and ranges from sending records to the wrong patient to discussing a case where it can be overheard.

Missing or inadequate risk analysis

Failing to conduct, or to document, an accurate and thorough Security Rule risk analysis of threats to electronic PHI. This is the single artifact OCR asks for most often, and its absence is a recurring finding in enforcement actions.

No business associate agreement

Letting a vendor create, receive, maintain, or transmit PHI without a signed business associate agreement (BAA) in place. The BAA is the contract that flows HIPAA obligations down to the vendor, and the chain must extend to subcontractors.

Unencrypted lost or stolen devices

A laptop, phone, USB drive, or backup that holds unencrypted ePHI is lost or stolen. Encryption is an addressable Security Rule safeguard, and an unencrypted loss commonly becomes a reportable breach of unsecured PHI.

Employee snooping

Workforce members accessing patient records they have no work reason to view, such as records of a family member, a coworker, or a public figure. This is an access-control and minimum-necessary failure, and audit logs usually make it visible after the fact.

Failure to provide patient access

Not giving individuals timely access to their own records, charging more than a reasonable cost-based fee, or refusing a valid request. Patient right-of-access has been a stated OCR enforcement priority, so this category draws particular scrutiny.

Improper disposal of PHI

Throwing paper records in a regular trash bin, or discarding old drives and devices without securely wiping the ePHI on them. PHI must be rendered unreadable before disposal, in any medium, paper or electronic.

How HIPAA penalties are tiered

The HHS Office for Civil Rights enforces HIPAA, and civil penalties are tiered by culpability, how much the organization knew and whether it corrected the problem. Each tier carries its own per-violation amount and annual cap, which OCR adjusts for inflation each year.

Tier 1 · Did not know

The entity did not know, and by exercising reasonable diligence would not have known, that it violated the rule.

Tier 2 · Reasonable cause

The violation was due to reasonable cause and not willful neglect.

Tier 3 · Willful neglect, corrected

The violation was due to willful neglect but was corrected within the required time period.

Tier 4 · Willful neglect, not corrected

The violation was due to willful neglect and was not corrected within the required time period. This is the most serious tier.

Check the live numbers before quoting them. OCR republishes its inflation-adjusted penalty amounts annually, so any specific dollar figure is a snapshot. The most serious knowing misuse of PHI can also be prosecuted criminally by the Department of Justice. Always confirm current HHS guidance.

How to report a HIPAA violation

Anyone can report a suspected HIPAA violation to the federal regulator. The process is free and runs through the HHS Office for Civil Rights.

1
Try the internal channel first, if appropriate
If you are a patient or an employee, the organization's Privacy Officer or compliance hotline is often the fastest path to a fix. The Notice of Privacy Practices lists how to raise a concern. This step is optional, not required, before going to the regulator.
2
File a complaint with the HHS Office for Civil Rights (OCR)
OCR is the federal agency that enforces HIPAA. Anyone can file a complaint about a covered entity or business associate they believe violated the Privacy, Security, or Breach Notification Rules. Complaints are submitted through the OCR Complaint Portal.
·
File within 180 days
A complaint must generally be filed within 180 days of when you knew, or should have known, that the act occurred. OCR may extend this window for good cause. File promptly to avoid a timeliness issue.
3
Include the who, what, and when
Name the organization, describe what happened and when, and explain how you believe the rules were broken. You may file by name or anonymously, though OCR cannot follow up with you on an anonymous complaint.
4
OCR reviews, investigates, and resolves
OCR screens the complaint, and where it opens an investigation it may seek voluntary compliance, a corrective action plan, or, for serious findings, a civil money penalty. Knowing criminal misuse of PHI can be referred to the Department of Justice.

File HIPAA complaints through the official HHS Office for Civil Rights complaint process. If you run the organization on the receiving end, the surest way to avoid being the subject of one is a documented, current program, see HIPAA compliance assessment software.

Free download

HIPAA Security Checklist

The administrative, physical, and technical safeguards that close the most common HIPAA gaps, in a single working checklist you can run against your own program.

Administrative, physical, and technical safeguard checks
Risk-analysis and documentation prompts OCR looks for
Business associate agreement and vendor coverage
Device encryption, access control, and disposal items
A gap list you can hand to owners for remediation

Facing an audit, not just a complaint?

If your concern is an OCR audit rather than a single incident, our free preparation guide walks the policies, evidence, and risk analysis OCR asks for, and the findings teams most often need to pre-empt.

Get the OCR audit preparation guide

FAQ

Frequently asked questions

Close the gaps before OCR finds them

Turn HIPAA from a risk into audit-ready evidence.

RiskWatch runs the Security Rule risk analysis, tracks business associate agreements, and keeps the timestamped evidence trail OCR asks for. Start a free trial, no credit card.

See HIPAA compliance software What is HIPAA?

No credit card required · 30-day free trial · Cancel anytime

HIPAA violations: examples and how to report one

What counts as a HIPAA violation?

Common HIPAA violation examples, by category

Impermissible use or disclosure of PHI

Missing or inadequate risk analysis

No business associate agreement

Unencrypted lost or stolen devices

Employee snooping

Failure to provide patient access

Improper disposal of PHI

How HIPAA penalties are tiered

How to report a HIPAA violation

Try the internal channel first, if appropriate

File a complaint with the HHS Office for Civil Rights (OCR)

File within 180 days

Include the who, what, and when

OCR reviews, investigates, and resolves

HIPAA Security Checklist

Frequently asked questions

What are some common examples of HIPAA violations?

How do I report a HIPAA violation?

Is there a deadline to report a HIPAA violation?

Can I report a HIPAA violation anonymously?

What are the penalties for a HIPAA violation?

What happens after a HIPAA complaint is filed?

What is the difference between a HIPAA violation and a breach?

How can an organization prevent HIPAA violations?

Turn HIPAA from a risk into audit-ready evidence.