Every year, the Office for Civil Rights (OCR) publishes its HIPAA enforcement results. The patterns are clear: most violations are preventable, and they stem from the same recurring issues.
In 2024 alone, OCR collected over $137 million in HIPAA violation settlements and fines. More importantly, these breaches affected millions of patients and damaged the reputations of healthcare organizations that worked years to build trust.
The good news? Most HIPAA violations aren't caused by sophisticated cyberattacks. They're the result of missing basic safeguards, incomplete documentation, and lack of awareness. That means they're entirely preventable with the right approach.
By the Numbers (2024)
The 8 Most Common HIPAA Violations
1. Lack of Risk Analysis
CriticalOrganizations failing to conduct comprehensive risk analyses or document their security assessments.
Real Example
In 2024, a healthcare provider was fined $240,000 for operating for years without conducting a risk analysis despite processing thousands of patient records daily.
Potential Impact:
$150,000 - $500,000 in fines
How to Prevent:
- Conduct annual risk analyses documenting all potential vulnerabilities
- Assess all locations where ePHI is stored, transmitted, or accessed
- Document findings and remediation plans in detail
- Update risk analysis when implementing new systems or processes
- Maintain records of all assessments for at least 6 years
2. Insufficient Access Controls
HighEmployees having unnecessary access to PHI, lack of unique user IDs, or missing role-based permissions.
Real Example
A medical center was fined $387,200 after an employee accessed celebrity patient records out of curiosity. The organization lacked proper access monitoring and controls.
Potential Impact:
$100,000 - $350,000 in fines
How to Prevent:
- Implement role-based access control (RBAC)
- Assign unique user IDs to every employee
- Apply the minimum necessary standard—only grant access needed for job functions
- Remove access immediately when employees leave or change roles
- Monitor and audit access logs for unusual patterns
- Implement automatic session timeouts
3. Missing or Inadequate Business Associate Agreements
CriticalFailing to execute proper BAAs with vendors who handle PHI or using outdated agreements.
Real Example
A healthcare system paid $2.15 million in settlements after using cloud vendors for years without signed Business Associate Agreements.
Potential Impact:
$1 million+ in settlements
How to Prevent:
- Identify all vendors and contractors who access PHI
- Execute compliant BAAs before allowing any PHI access
- Update BAAs to reflect current HIPAA requirements
- Include required language about safeguards, breach notification, and subcontractor agreements
- Review and renew BAAs annually
- Maintain a centralized repository of all executed BAAs
4. Lack of Encryption
HighFailing to encrypt ePHI at rest or in transit, making breaches more severe and requiring notification.
Real Example
A health plan was fined $1.55 million after unencrypted patient data on a stolen laptop compromised 9,000 individuals' information.
Potential Impact:
$500,000 - $1.5 million in fines
How to Prevent:
- Encrypt all ePHI at rest using AES-256 or equivalent
- Use TLS 1.2+ for data in transit
- Encrypt backup media and portable devices (laptops, USB drives)
- Implement full-disk encryption on all devices accessing ePHI
- Use encrypted email for PHI transmission
- Test encryption implementation regularly
5. Improper Disposal of PHI
MediumThrowing away paper records, disposing of devices without wiping data, or using inadequate disposal methods.
Real Example
A medical practice was fined $100,000 after patient records were found in a public dumpster during an office move.
Potential Impact:
$75,000 - $250,000 in fines
How to Prevent:
- Shred all paper documents containing PHI before disposal
- Use certified shredding services with certificates of destruction
- Wipe or physically destroy electronic media before disposal
- Use degaussing or incineration for particularly sensitive devices
- Document all disposal activities
- Train staff on proper disposal procedures
6. Unauthorized Disclosure of PHI
CriticalSharing PHI without proper authorization, posting on social media, or discussing patients in public areas.
Real Example
Hospital employees were fired and the facility fined $750,000 after posting about a patient's condition on social media.
Potential Impact:
$500,000 - $1 million+ in fines
How to Prevent:
- Train staff on what constitutes unauthorized disclosure
- Implement strict social media policies
- Prohibit discussing patients in public areas (elevators, cafeterias)
- Verify patient identity before discussing information
- Obtain proper authorization before releasing PHI to third parties
- Monitor and audit information disclosures
7. No Multi-Factor Authentication
CriticalMissing MFA on systems accessing ePHI, especially after January 2025 Security Rule updates.
Real Example
A telehealth platform breach compromised 1.2 million records due to stolen credentials. MFA would have prevented unauthorized access.
Potential Impact:
$200,000 - $600,000 in fines
How to Prevent:
- Implement MFA on all systems accessing ePHI (now mandatory)
- Use authenticator apps, hardware tokens, or biometrics
- Require MFA for remote access and admin accounts
- Test MFA implementation across all access points
- Document MFA policies and exceptions
- Enforce MFA—no exceptions for convenience
8. Failure to Provide Patient Access to Records
MediumNot responding to patient requests for medical records within 30 days or charging excessive fees.
Real Example
A provider was fined $85,000 for repeatedly failing to provide patients with their medical records despite multiple requests over several months.
Potential Impact:
$50,000 - $150,000 in fines
How to Prevent:
- Respond to access requests within 30 days (60 days in special circumstances)
- Establish a clear process for handling access requests
- Charge reasonable, cost-based fees only
- Provide records in requested format (electronic if available)
- Document all patient access requests and responses
- Train staff on patient rights and access procedures
Other Frequent Compliance Gaps
Inadequate Workforce Training
Not providing annual HIPAA training or documenting completion
Missing Breach Notification Procedures
No documented plan for identifying and responding to breaches
Insufficient Audit Controls
Not logging access to ePHI or reviewing logs for anomalies
Lack of Sanction Policy
No consequences for employees who violate HIPAA policies
Outdated Policies
Using policies that don't reflect current HIPAA requirements
Missing Notice of Privacy Practices
Not providing patients with required privacy notices
Building a Prevention Framework
The best defense against HIPAA violations is a proactive compliance program. Here's how to build one:
Assess Regularly
Conduct annual risk analyses and update them when systems change
Document Everything
If it's not documented, it didn't happen. Maintain detailed records of all compliance activities
Train Continuously
Provide annual training plus refreshers when policies change or incidents occur
Monitor Actively
Review audit logs, access patterns, and security alerts regularly
Update Proactively
Stay current with HIPAA changes and update policies accordingly
Test Frequently
Conduct tabletop exercises, breach drills, and security testing
Key Takeaways
- Most HIPAA violations are preventable with proper planning and documentation
- Missing risk analyses and inadequate BAAs are the costliest violations
- Employee error causes 68% of violations—training is critical
- Encryption significantly reduces breach impact and notification requirements
- Multi-factor authentication is now mandatory under 2025 Security Rule updates
- Documentation is your best defense during audits and investigations
- Regular monitoring and testing help identify issues before they become violations
Don't Learn the Hard Way
Every violation listed here cost real organizations hundreds of thousands or millions of dollars—not to mention damaged reputations, lost patient trust, and years of remediation work.
The cost of prevention is a fraction of the cost of a violation. Investing in proper risk analyses, training, and technical safeguards today will save you from catastrophic consequences tomorrow.