What Is a HIPAA Violation? Definition, Types, and Consequences

What Is a HIPAA Violation

A HIPAA violation occurs when a covered entity or business associate fails to comply with a requirement established by the Health Insurance Portability and Accountability Act of 1996 — specifically its implementing regulations: the Privacy Rule, the Security Rule, or the Breach Notification Rule.

Violations are not limited to data breaches. A practice can be out of compliance without any patient information ever being stolen or misused. Missing a required risk assessment, using a vendor without a Business Associate Agreement, or failing to document staff training are all violations, even if no PHI was actually disclosed.

The Three Rules That Can Be Violated

Privacy Rule — governs how PHI can be used and disclosed. Covers what information is protected, who can access it, under what circumstances it can be shared, and what rights patients have over their own information. Violations include unauthorized disclosures, sharing PHI without patient authorization, and failing to provide patients access to their records.

Security Rule — governs how electronic PHI (ePHI) must be protected. Requires covered entities to implement administrative, physical, and technical safeguards. Violations include missing encryption controls, lack of unique user identification, failure to conduct a risk analysis, and using non-compliant software to handle patient data.

Breach Notification Rule — requires covered entities to notify affected individuals, HHS, and in some cases the media when a breach of unsecured PHI occurs. Violations include failing to notify patients within 60 days of discovering a breach, or failing to report small breaches to HHS in the annual log.

Who Can Violate HIPAA

Covered entities are the primary subjects of HIPAA: healthcare providers who transmit health information electronically (which includes virtually every medical practice that bills insurance), health plans, and healthcare clearinghouses.

Business associates are vendors or service providers who handle PHI on a covered entity’s behalf — and since 2013, they are directly liable for compliance with the Security Rule and certain Privacy Rule requirements. A task management platform that stores patient care coordination notes, a billing company that processes claims, an EHR vendor — all are business associates and can be investigated and penalized directly.

A covered entity that fails to execute a BAA with a business associate violates HIPAA. The business associate that operates without one also violates HIPAA.

How OCR Discovers Violations

OCR receives around 50,000 HIPAA complaints annually. Most come from patients and former employees. The complaint portal at ocrportal.hhs.gov is publicly accessible and free to use.

Breaches are the second source. The Breach Notification Rule requires covered entities to report breaches to HHS — within 60 days for breaches affecting 500 or more individuals, and annually for smaller breaches. Every large breach filed triggers at least a preliminary review.

Proactive audits make up the third source. OCR’s audit program selects covered entities and business associates for desk audits and on-site reviews. Audit targets are selected based on size, complaint history, and prior enforcement actions.

Consequences for Small Practices

Small practices are not exempt from HIPAA enforcement. OCR has issued civil monetary penalties to solo practitioners, small clinics, and regional medical groups.

The civil penalty tiers:

Tier	Culpability	Per-violation range	Annual cap
1	No knowledge	$100–$50,000	$25,000
2	Reasonable cause	$1,000–$50,000	$100,000
3	Willful neglect, corrected	$10,000–$50,000	$250,000
4	Willful neglect, not corrected	$50,000	$1,900,000

Beyond fines, OCR can require a corrective action plan — a structured, monitored remediation program that can run for one to three years. Corrective action plans require regular reporting to OCR and can consume significant administrative time.

Criminal penalties exist for knowing, intentional violations: up to one year imprisonment for basic knowing disclosures, up to five years for violations under false pretenses, and up to ten years for violations committed for personal gain or malicious harm.

For a small practice, the more common financial exposure is the corrective action plan combined with legal and consulting fees — not the maximum statutory fine. Self-reporting violations and demonstrating a functioning compliance program consistently results in lower penalties.

PHIGuard gives small practices the documentation infrastructure to demonstrate a functioning compliance program: risk assessment tracking, BAA management, training records, and an incident log. Practice plan ($20/month, up to 10 staff) and Clinic ($49/month, up to 25 staff) — both include a BAA.

Like what you're reading?

Try PHIGuard free — no credit card required.

Covered Entity: Under HIPAA, a covered entity is a healthcare provider that transmits health information electronically, a health plan, or a healthcare clearinghouse. All covered entities are subject to HIPAA's Privacy, Security, and Breach Notification Rules.

Business Associate: A person or organization that performs functions or activities on behalf of a covered entity that involve the creation, receipt, maintenance, or transmission of PHI. Business associates are directly subject to HIPAA's Security Rule and certain Privacy Rule requirements.

Willful Neglect: Conscious, intentional failure to comply with a HIPAA requirement — or reckless indifference to whether the requirement is being met. Willful neglect carries the highest civil penalty tier: a minimum of $10,000 per violation if corrected, and $50,000 per violation if not corrected.

Q&A

What is a HIPAA violation?

A HIPAA violation is any failure to comply with the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule by a covered entity (healthcare provider, health plan, or clearinghouse) or a business associate. Violations can be administrative — missing policies, no risk assessment, inadequate staff training — or involve active unauthorized disclosure of protected health information.

Q&A

What are the four tiers of HIPAA violations?

HIPAA's civil penalty structure has four tiers based on culpability: (1) No knowledge — the entity didn't know and couldn't have reasonably known, $100–$50,000 per violation; (2) Reasonable cause — the entity should have known but had no willful neglect, $1,000–$50,000; (3) Willful neglect, corrected within 30 days, $10,000–$50,000; (4) Willful neglect, not corrected, $50,000 per violation with a $1.9 million annual cap.

Q&A

How does OCR discover HIPAA violations?

OCR discovers violations through three channels: (1) complaints filed by patients, employees, or other parties through the HHS complaint portal; (2) breach notifications submitted by covered entities as required by the Breach Notification Rule; and (3) proactive compliance audits conducted by OCR under the HIPAA Audit Program.

Want to learn more?

Learn More

What is a HIPAA violation?

A HIPAA violation occurs when a covered entity — a healthcare provider, health plan, or clearinghouse — or one of its business associates fails to comply with a requirement of the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule. Violations can be unintentional (a staff error) or willful (knowingly ignoring a requirement).

Who can commit a HIPAA violation?

Covered entities and their business associates. Covered entities are healthcare providers, health plans, and healthcare clearinghouses. Business associates are vendors or service providers who access PHI on behalf of a covered entity — including EHR vendors, billing companies, task management platforms with patient data, and email providers.

What is the penalty for a HIPAA violation?

Civil penalties range from $100 to $50,000 per violation, depending on the tier. The four tiers are: (1) no knowledge, $100–$50,000; (2) reasonable cause, $1,000–$50,000; (3) willful neglect, corrected, $10,000–$50,000; (4) willful neglect, not corrected, $50,000. Annual maximums per violation category range from $25,000 to $1.9 million.

Does OCR investigate small practices?

Yes. The Office for Civil Rights enforces HIPAA regardless of practice size. Solo practices, small clinics, and single-specialty groups have all received civil monetary penalties. Practice size can affect the penalty amount within a tier but does not determine whether an investigation occurs.

Is an unintentional HIPAA violation still a violation?

Yes, but the penalty tier is lower. HIPAA distinguishes between violations committed without knowledge (lowest tier), violations due to reasonable cause, and willful neglect. Even an honest mistake — emailing a patient's records to the wrong address — is a violation and must be documented and assessed for breach notification requirements.

Keep reading

10 HIPAA Violation Examples Small Practices Actually Encounter

Real HIPAA violation examples that small medical practices run into — from emailing PHI to the wrong patient to using task management tools without a BAA. What each one means and how to avoid it.

HIPAA Compliance Checklist for Small Medical Practices

A step-by-step HIPAA compliance checklist for small medical practices. Covers risk assessments, policies, training, tools, and documentation — the practical version.

Best HIPAA Compliance Software for Small Medical Practices (2026)

We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.