Every year, the HHS Office for Civil Rights receives tens of thousands of complaints. The patterns are remarkably consistent. The same categories of violations appear again and again — and they are almost always preventable.

Here are the ten most common HIPAA violations, drawn from OCR enforcement data, along with specific steps to prevent each one.

header	header	header
content	content	content

1. Snooping on Patient Records

The violation: Employees access health records of family members, friends, co-workers, or celebrities without any legitimate treatment, payment, or operations reason.

How to prevent it:

• Implement role-based access controls that limit record access to patients in each employee's care
• Enable and regularly review audit logs for unusual access patterns
• Train staff that curiosity is not a legitimate reason to access records
• Apply and document sanctions for every violation

2. Failure to Conduct a Risk Analysis

The violation: The organisation has never conducted — or has not updated — a comprehensive security risk analysis identifying threats and vulnerabilities to ePHI.

How to prevent it:

• Conduct a baseline risk analysis covering all systems that touch ePHI
• Update the analysis at least annually or whenever significant changes occur
• Document everything — the analysis itself, identified risks, and remediation plans
• Use the free HHS Security Risk Assessment Tool as a starting point

3. Missing or Incomplete Business Associate Agreements

The violation: Vendors, contractors, or subcontractors with access to PHI are operating without a signed BAA.

How to prevent it:

• Maintain a complete inventory of every vendor with PHI access
• Execute BAAs before any PHI is shared — not after
• Review BAAs annually to ensure they reflect current services and regulatory requirements
• Include subcontractor provisions as required by the Omnibus Rule

4. Failure to Provide Patients Access to Their Records

The violation: Patients request copies of their health information and the organisation fails to respond within the required 30-day period, charges excessive fees, or denies access without proper grounds.

How to prevent it:

• Establish a documented process for handling access requests
• Train front-desk and records staff on the 30-day deadline (with one 30-day extension if needed)
• Set reasonable fees for copies (cost of labour, supplies, and postage only)
• Track all requests from receipt to fulfilment

5. Improper Disposal of PHI

The violation: Paper records, hard drives, or other media containing PHI are discarded without proper destruction — thrown in bins, left in alleys, or sold without wiping.

How to prevent it:

• Shred all paper documents containing PHI (cross-cut shredding preferred)
• Degauss or physically destroy hard drives before disposal
• Use certified destruction vendors with chain-of-custody documentation
• Train custodial staff on PHI disposal requirements

6. Unencrypted Devices and Communications

The violation: Laptops, smartphones, USB drives, or emails containing PHI are unencrypted, exposing data if devices are lost or communications are intercepted.

How to prevent it:

• Enable full-disk encryption on all devices that store or access PHI
• Use encrypted email for any PHI transmission
• Implement mobile device management (MDM) for remote wipe capability
• Ban the use of personal devices for PHI access without approved encryption

7. Sharing PHI on Social Media

The violation: Staff post patient information, photographs, or identifying details on social media platforms — even with good intentions.

How to prevent it:

• Develop a clear social media policy that prohibits any PHI disclosure
• Train staff that even partial information can identify a patient
• Monitor social media for potential violations
• Apply sanctions consistently

8. Failure to Report Breaches

The violation: The organisation experiences a breach of unsecured PHI but fails to notify affected individuals, HHS, or the media within required timeframes.

How to prevent it:

• Develop and test a breach response plan
• Train all staff to recognise and report potential breaches immediately
• Establish clear escalation procedures from incident detection to notification
• Maintain breach notification templates ready for rapid deployment

9. Inadequate Access Controls

The violation: Systems containing PHI have shared login credentials, no role-based access, or former employees whose accounts remain active.

How to prevent it:

• Assign unique credentials to every workforce member
• Implement role-based access matching job responsibilities
• Disable accounts immediately upon employee termination
• Conduct quarterly access reviews

10. Lack of Workforce Training

The violation: Staff have never received HIPAA training, or training is outdated and does not reflect current policies or threats.

How to prevent it:

• Provide HIPAA training to all new hires before they access PHI
• Conduct annual refresher training for all workforce members
• Include specific training on current threats (phishing, ransomware, social engineering)
• Document every training session with attendance records

The Pattern

Nine of these ten violations share a common thread: they result from failures in basic compliance infrastructure — risk analyses, training, policies, and documentation. None require expensive technology or specialised expertise. They require discipline, consistency, and the organisational commitment to take compliance seriously.

The tenth violation — snooping — is a human behaviour problem that requires both technical controls (access restrictions, audit logs) and cultural change (training, sanctions, leadership by example).

Further Reading

• HIPAA violations and penalties
• Breach Notification Rule
• HIPAA training requirements