10 HIPAA Violation Examples Small Practices Actually Encounter

What Counts as a HIPAA Violation

A HIPAA violation occurs when a covered entity — a medical practice, health plan, or clearinghouse — or one of its business associates fails to comply with the requirements of the Privacy Rule, Security Rule, or Breach Notification Rule.

Violations are not limited to data breaches. Operational failures, policy gaps, and routine staff habits can all constitute violations without any patient data being stolen or misused. The Office for Civil Rights (OCR) at HHS investigates complaints, conducts audits, and issues civil monetary penalties for non-compliance.

Small practices are covered entities subject to the same rules as large hospital systems. Practice size affects the amount of a fine, not whether enforcement applies.

10 Common HIPAA Violation Examples

Emailing PHI to the wrong recipient. A staff member sends appointment details, test results, or billing information to the wrong patient email address — or CC’s an unintended person. This is an impermissible disclosure. It often goes undiscovered for days or weeks.
Staff accessing records without a treatment purpose. An employee looks up a patient’s record out of curiosity, to check on an acquaintance, or to share information with a family member. This violates the minimum necessary standard and the Privacy Rule’s use and disclosure requirements.
Sending PHI over unencrypted text or personal email. Coordinating patient care via SMS, WhatsApp, or a personal Gmail account transmits PHI outside any encrypted, BAA-covered channel. This is a Security Rule violation even if no breach results.
Using personal devices without BYOD controls. Staff accessing EHR systems or patient files from personal phones or laptops without mobile device management (MDM) software, remote wipe capability, or documented BYOD policies creates an uncontrolled access point for PHI.
Leaving paper records unsecured. Patient files, printed schedules, or sign-in sheets left on unattended front desks, in unlocked filing rooms, or in areas accessible to other patients violate the Privacy Rule’s physical safeguard requirements.
Disposing of records without shredding. Throwing paper records, printed patient lists, or sticky notes containing PHI in regular trash — rather than shredding or using a HIPAA-compliant disposal vendor — constitutes improper disposal.
Sharing login credentials. Two staff members sharing a single EHR login, or a supervisor giving subordinates access to their account, eliminates the audit trail that HIPAA’s unique user identification requirement is designed to create.
Using task management tools without a BAA. Running patient-related tasks through Asana, Trello, Monday.com, or a personal Slack workspace — without a signed Business Associate Agreement from the vendor — means PHI is flowing through an uncovered channel.
Skipping the annual risk assessment. HIPAA’s Security Rule requires a documented risk analysis. Practices that conduct one initial assessment and never update it are out of compliance. This is the single most common deficiency in OCR enforcement actions.
Failing to train staff on HIPAA policies. Every workforce member who handles PHI must receive HIPAA training at hire and annually thereafter. Missing training sessions or failing to document who was trained creates both a compliance gap and an enforcement liability.

The Violations OCR Investigates Most

OCR’s enforcement priorities follow the violations that cause the most harm and reflect systemic compliance failures — not isolated accidents.

The top categories in OCR enforcement actions by case volume:

Impermissible uses and disclosures of PHI — the largest single category, covering unauthorized access, wrong-recipient disclosures, and sharing PHI without patient authorization.
Lack of safeguards for PHI — missing or inadequate technical, physical, or administrative safeguards for electronic PHI.
Lack of patient access — failing to provide patients with their records within the required 30-day window.
No documented risk analysis — the absence of a required written risk assessment.
Failure to execute BAAs — using vendors that handle PHI without a signed agreement.

Fines in the “reasonable cause” tier (violations the practice should have known about but didn’t) range from $1,000 to $50,000 per violation, with an annual cap of $100,000 per violation category. Willful neglect that goes uncorrected starts at $50,000 per violation with an annual cap of $1.9 million.

How to Avoid These Violations

Most violations in small practices trace back to three root causes: staff don’t know what PHI is or how it’s protected, the practice’s tool stack hasn’t been audited for BAAs, and there’s no documentation trail to show compliance during an audit.

The practical steps:

Conduct a documented risk assessment annually and update it when your tools or workflows change.
Audit your tools. Every platform that touches patient information needs a signed BAA on file.
Train staff at onboarding and once per year. Document who attended and what was covered.
Establish unique login credentials for every staff member — no shared accounts.
Set a policy for how patient information is communicated internally. Text messages and personal email are not acceptable channels.

PHIGuard’s compliance dashboard tracks risk assessments, BAA status, training records, and incident logs in one place. The audit trail is built into the workflow — so when a staff member completes training or a BAA is uploaded, it’s timestamped and retrievable. Practice plan is $20/month for practices up to 10 staff; Clinic is $49/month for up to 25 staff. Both include a signed BAA.

Like what you're reading?

Try PHIGuard free — no credit card required.

Protected Health Information (PHI): Any individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate — including patient names, appointment details, diagnoses, billing data, and any information that could identify a patient.

Minimum Necessary Standard: A HIPAA Privacy Rule principle requiring covered entities to limit PHI access, use, and disclosure to the minimum amount necessary to accomplish the intended purpose. Staff should only access records relevant to their specific job function.

Business Associate Agreement (BAA): A required contract between a covered entity and any vendor or service provider that creates, receives, maintains, or transmits PHI on the entity's behalf. Without a signed BAA, using that vendor with PHI is a HIPAA violation.

Q&A

What are common examples of HIPAA violations?

Common HIPAA violation examples include: emailing PHI to the wrong patient or recipient; staff accessing records without a treatment-related purpose; sending patient information via unencrypted SMS or personal email; using task management tools without a BAA; sharing login credentials between staff; leaving paper records in unsecured areas; improper disposal of records without shredding; using personal devices without BYOD policies; failing to conduct annual risk assessments; and not training staff on HIPAA requirements.

Q&A

Which HIPAA violations result in the largest fines?

OCR's largest enforcement actions have targeted willful neglect — violations where the covered entity knew about the problem and failed to correct it. The highest-penalty categories include failure to conduct a risk analysis, impermissible disclosure of PHI, failure to implement safeguards, and lack of a breach notification process. Willful neglect with no correction carries a minimum penalty of $50,000 per violation.

Q&A

Does using a task management tool without a BAA count as a HIPAA violation?

Yes. If staff use a platform like Asana, Trello, Slack, or Monday.com to coordinate care tasks that involve PHI — patient names, appointment details, treatment information — and the vendor hasn't signed a BAA, the practice is in violation of the HIPAA Security Rule. This applies even if the tool isn't a medical system.

Want to learn more?

Learn More

What is the most common HIPAA violation in small practices?

Unauthorized disclosure of PHI is the most frequently cited violation in OCR enforcement actions. This includes sending patient information to the wrong recipient, texting PHI without encryption, and staff accessing records without a treatment-related reason.

Can small practices be fined for HIPAA violations?

Yes. Practice size is not a factor in whether OCR investigates or fines a covered entity. Solo practices and single-physician clinics have received civil monetary penalties. The minimum fine for unknowing violations is $100 per incident; willful neglect starts at $10,000.

Is using Slack or Trello for patient coordination a HIPAA violation?

It can be. If staff use a tool like Slack (without Enterprise + BAA), Trello, or a personal Asana account to coordinate tasks involving PHI, and no BAA is in place, that constitutes a HIPAA violation. The tool doesn't need to store patient records — if PHI passes through it, a BAA is required.

Does sharing login credentials violate HIPAA?

Yes. HIPAA's Security Rule requires unique user identification for every person accessing electronic PHI. Shared credentials make it impossible to audit who accessed what — a direct technical safeguard violation.

What happens if a practice reports its own HIPAA violation?

Self-reporting can result in reduced penalties. OCR's tiered penalty structure gives weight to good faith compliance efforts. Practices that discover and self-report violations, document corrective actions, and can show a functioning compliance program typically receive lower fines than those discovered through external complaints.

Keep reading

HIPAA Compliance Checklist for Small Medical Practices

A step-by-step HIPAA compliance checklist for small medical practices. Covers risk assessments, policies, training, tools, and documentation — the practical version.

What Is a Business Associate Agreement (BAA)? HIPAA Explained

A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.

Best HIPAA Compliance Software for Small Medical Practices (2026)

We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.