10 HIPAA Violations That Cost Real Money — and How to Prevent Every One
These are not hypothetical risks. Every violation on this list has resulted in real enforcement action with real fines. Here is what went wrong, how much it cost, and exactly what to do differently.
VertiComply Team
April 20, 2026
15 min read
Between 2019 and 2025, the Office for Civil Rights (OCR) collected over $130 million in HIPAA penalties. Not from hospital data breaches or dramatic hacking incidents. From everyday compliance failures that any healthcare software company can make — missing risk assessments, unencrypted databases, forgotten vendor agreements.
If you are building a healthcare application, every one of these violations applies to you. And the penalties do not scale down for small companies. A two-person telehealth startup pays the same per-violation fine as a hospital chain.
OCR received over 30,000 HIPAA complaints in 2024 alone. They do not need a data breach to investigate you. A single patient complaint about how your app handles their data is enough.
Here are the ten most common violations, ranked by how frequently they lead to enforcement action, with the actual penalty amounts and exactly what to build into your software to prevent each one.
The 10 Violations
Failure to Conduct a Risk Assessment
Premera Blue Cross: $6.85M settlement. Had not conducted an adequate risk assessment despite processing millions of health records. OCR found they had no documentation of security risks.
How to prevent:
Conduct a formal risk assessment before launching and annually after
Document every identified risk with severity and likelihood ratings
Create a remediation plan with deadlines for each risk
Use a standardized framework (NIST SP 800-30 or HIPAA Security Risk Assessment Tool)
No Encryption on PHI
Advocate Medical Group: $5.55M settlement. An unencrypted laptop containing 4 million patient records was stolen from an employee's car. The data had no encryption at rest.
How to prevent:
AES-256 encryption for all data at rest (database, files, backups)
TLS 1.2+ for all data in transit (API calls, web traffic)
Encrypt field-level PHI (SSN, diagnosis, DOB) — not just the disk
Never store PHI in plain text, logs, or error messages
Unauthorized Access to Patient Records
UCLA Health: $865,000 settlement. Employees repeatedly accessed celebrity patient records without authorization. No technical controls prevented the snooping.
How to prevent:
Role-based access control (RBAC) — staff see only what their role requires
Audit logging of every record access with user, timestamp, and reason
Automated alerts for unusual access patterns (bulk downloads, off-hours)
Regular access reviews — revoke permissions when roles change
No Business Associate Agreement
North Memorial Health Care: $1.55M settlement. Shared PHI with a major contractor without a signed BAA. The contractor had access to patient data for over a year without any agreement.
How to prevent:
Sign a BAA with EVERY vendor that touches PHI (cloud, email, analytics)
Verify BAAs are signed BEFORE sharing any patient data
Include breach notification obligations and security requirements in each BAA
Review BAAs annually — update when vendor services change
Improper Disposal of PHI
FileFax: $100,000 settlement. Medical records were found in an unlocked dumpster outside a closed medical records storage facility. The records contained PHI of thousands of patients.
How to prevent:
Implement secure data deletion (crypto-shredding or DOD 5220.22-M)
Database: use CASCADE DELETE with confirmation, not just soft-delete
Backups: encrypted with automatic expiration
Physical: cross-cut shredding for any printed PHI
Failure to Notify Within 60 Days
Presence Health: $475,000 settlement. Discovered a breach affecting 836 patients but waited 101 days to notify — 41 days past the HIPAA deadline.
How to prevent:
Documented incident response plan with clear timelines
Automated breach detection (failed login spikes, bulk data access)
Within 60 days: notify affected individuals + OCR (if 500+ records)
Under 500 records: log and report to OCR in annual submission
No Audit Controls or Logging
Multiple OCR enforcement actions cite lack of audit logs as an aggravating factor. Without logs, you cannot prove who accessed what data, making it impossible to investigate breaches or demonstrate compliance.
How to prevent:
Log every PHI access: who, when, what record, from where
Log every modification and deletion with before/after values
Immutable audit trail — users cannot delete their own access logs
Retain logs for minimum 6 years (HIPAA requirement)
Minimum Necessary Violation
Memorial Hermann Health System: $2.4M settlement. Disclosed a patient's name in a press release about an arrest — more PHI than was necessary for any legitimate purpose.
How to prevent:
API responses return only fields the requesting role needs
Database queries use SELECT specific columns, never SELECT *
Different API endpoints for different access levels
Default-deny: new features start with no PHI access, add explicitly
Lost or Stolen Unsecured Devices
The University of Rochester Medical Center: $3M settlement. Multiple incidents of lost flash drives and a stolen laptop — all unencrypted, all containing PHI.
How to prevent:
Full-disk encryption on all devices that access PHI
Remote wipe capability for mobile devices
Multi-factor authentication for all PHI access
Enforce session timeout after 15 minutes of inactivity
No Staff Training Program
Multiple settlements cite inadequate workforce training. OCR considers training a core requirement — not having a documented program is itself a violation, regardless of whether a breach occurs.
How to prevent:
Annual HIPAA security training for all workforce members
Document completion with dates and signatures
Include phishing awareness and social engineering scenarios
New hire training within 30 days of start date
HIPAA Penalty Tiers
HIPAA penalties follow a four-tier structure based on the level of culpability. These tiers apply per violation, and violations can be counted per patient record affected.
| Tier | Culpability | Per Violation | Annual Max |
|---|---|---|---|
| 1 | Did not know (and could not have known) | $100 - $50,000 | $25,000 |
| 2 | Reasonable cause (not willful neglect) | $1,000 - $50,000 | $100,000 |
| 3 | Willful neglect — corrected within 30 days | $10,000 - $50,000 | $250,000 |
| 4 | Willful neglect — NOT corrected | $50,000+ | $1,900,000 |
Criminal Penalties
HIPAA violations can also result in criminal prosecution. Knowingly obtaining or disclosing PHI can result in up to $50,000 fine and 1 year in prison. If done under false pretenses, up to $100,000 and 5 years. If done for commercial advantage or malicious harm, up to $250,000 and 10 years.
Prevention Checklist for Healthcare App Developers
If you are building a healthcare application, here is the minimum set of technical safeguards based on the full HIPAA compliance checklist. Each item directly prevents one or more of the violations listed above.
AES-256 encryption at rest + TLS 1.2 in transit (prevents #2, #9)
Role-based access control with minimum necessary principle (prevents #3, #8)
Immutable audit logging of all PHI access (prevents #7)
Documented risk assessment, updated annually (prevents #1)
Signed BAAs with all vendors before sharing data (prevents #4)
Automated breach detection + 60-day notification process (prevents #6)
Secure data deletion procedures (prevents #5)
Session timeout + MFA for all authenticated access (prevents #9)
Annual security training with documented completion (prevents #10)
Build It In From The Start
Retrofitting compliance is 10x more expensive than building it in from the beginning. Platforms like VertiComply generate code with these safeguards already implemented, so you do not have to add encryption, audit logs, and RBAC after the fact. See how it works with the complete compliance guide.
Frequently Asked Questions
What is the maximum HIPAA violation penalty?
The maximum penalty for a single violation category is $1.9 million per year. For the most severe criminal violations, individuals can face up to $250,000 in fines and 10 years in prison. There is no upper limit on the total penalty when multiple violation categories apply — some settlements have exceeded $10 million.
What are the most common HIPAA violations?
The top three are: failure to conduct a risk assessment, lack of encryption on data at rest, and unauthorized access to patient records. These three account for the majority of OCR enforcement actions. Many organizations fail on the administrative side (missing documentation, no training program) rather than the technical side.
Can a small healthcare app get a HIPAA violation?
Yes. OCR does not scale penalties based on company size. A solo developer shipping a telehealth app with unencrypted PHI faces the same per-violation fines as a hospital chain. Several small startups have received six-figure penalties.
What triggers a HIPAA investigation?
The most common triggers are: patient complaints to OCR (30,000+ per year), mandatory breach reports for incidents affecting 500+ individuals, whistleblower reports from employees, and periodic OCR compliance audits. A breach is not required — a single complaint about your app's privacy practices is enough.
How can I prevent HIPAA violations in my healthcare app?
Implement encryption (AES-256 + TLS), role-based access control, audit logging, and breach detection from day one. Conduct a formal risk assessment before launch. Sign BAAs with all vendors. Use a platform that generates compliant code automatically rather than retrofitting compliance after development.
Does HIPAA apply to mobile health apps?
If your app creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate, HIPAA applies. Consumer wellness apps that don't connect to healthcare providers may be exempt, but any app used in clinical workflows or prescribed by a doctor is covered. Understanding the distinction requires reviewing your specific use case against the definitions in the HIPAA Privacy Rule.
Build Compliant From Day One
Generate healthcare apps with encryption, audit logs, RBAC, and breach detection built in. No retrofitting, no violations. See pricing.
Related Articles
More on HIPAA compliance and healthcare development
How to Build a HIPAA-Compliant Healthcare App Without Code in 2026
The complete 2026 guide to building HIPAA-compliant healthcare apps without code. Covers compliance rules, no-code platforms, what to look for, real costs, common mistakes, and a step-by-step practical sequence for US healthcare startups.
Read article
How to Build a Compliant Healthcare App in 2026
Step-by-step guide to building healthcare apps that meet HIPAA, GDPR, SOC 2 and HITRUST compliance. Covers the 5 essential pillars and AI automation.
Read article
HIPAA Compliance Checklist for Healthcare App Developers (2026)
Essential HIPAA compliance checklist for healthcare app developers. Covers Administrative, Physical, and Technical Safeguards plus breach notification.
Read article