HIPAA mandates that healthcare providers safeguard patients’ protected health information (PHI). However, PHI breaches can and do occur through unauthorized disclosures, improper handling of data, or insufficient security measures.
According to an Informed Clinical Informatics study on Information Security Awareness and Behaviors of Health Care Professionals at Public Health Care Facilities:
These numbers suggest that many healthcare providers are either ignoring or inadequately following HIPAA policies. This creates vulnerabilities, possibly exposing patient PHI to potential data breaches that lead to HIPAA violations.
HIPAA violations can happen in different ways, and some of the most common violations include:
For example, in November 2024, Option Care Health (OCH) experienced a data breach due to unauthorized access to an employee's email account.
Like, the 2008 case where University of California, Los Angeles (UCLA) Medical Center employees accessed singer Britney Spears’s psychiatric medical records without a valid reason.
For example, in October 2024, Walgreen Co. suffered a data breach after an unauthorized user accessed a laptop with sensitive patient data.
As evidenced in the 2016 New York-Presbyterian Hospital (NYP) case where the hospital allowed a television film crew to record footage within its facilities without obtaining prior patient authorization.
Ultimately, if a patient believes that a healthcare provider didn’t uphold their legal obligations, they must know how to file complaints, report such incidents, and understand the potential legal outcomes.
When a patient suspects a HIPAA violation, they must keep detailed records of the incident, including:
Once the patient has documented the violation they must report it directly to their healthcare provider. More specifically, they should contact the provider's privacy officer responsible for HIPAA matters.
Patients should request an internal investigation that includes:
If the provider dismisses these concerns, the patient can file a formal complaint with the HHS Office for Civil Rights (OCR).
Per the OCR’s Complaint Requirements, patients must:
If the patient is unsure whether the incident violates HIPAA, the OCR encourages them to “go ahead and file [their] complaint.” The OCR will then investigate the complaint and “impose penalties if the provider is found to be non-compliant.”
HIPAA violations carry serious legal consequences even when no harm was ‘knowingly’ intended. So, a healthcare provider doesn’t have to intend to break the law to be held legally responsible. The law only requires proof that the person knew the facts that led to the violation, even if they didn’t realize those facts resulted in a breach.
This interpretation was clarified in a Memorandum Opinion discussing the U.S. Supreme Court in the Bryan v. United States case (524 U.S. 184, 1998) stating, “The term ‘knowingly’ merely requires proof of knowledge of the facts that constitute the offense.”
For example, if a healthcare worker knows they’re emailing a document with patient names and Social Security numbers, the law mandates that they protect this data.
Furthermore, ignorance of the law is not a defense if the individual understands the underlying facts. The Memorandum explains, “There is nothing obviously absurd about the statute’s allowing a defense of reasonable ignorance of the law for those regulatory violations subject to [a] civil penalty, but withholding this defense with respect to those violations that threaten the privacy of individuals.”
Ultimately, healthcare providers must implement administrative, physical, and technical safeguards to protect patient PHI and avoid potential civil and criminal penalties.
Read more: The complete guide to HIPAA violations
HIPAA doesn’t allow patients to directly sue providers for violations. However, state privacy laws or professional negligence claims could be another avenue for legal recourse. If someone has suffered financial or emotional harm due to a violation, they could consult an attorney specializing in healthcare privacy.
A recent example of such litigation involves Progressive Casualty Insurance Company data breach, where an employee of a third-party vendor shared access credentials with unauthorized individuals.
With over 347,000 individuals’ PHI exposed, including names, addresses, and driver's license numbers, Progressive has been sued in a class action suit.
The plaintiffs allege that the breach was “massive and preventable” and was a result of Progressive's inadequate data security procedures. The breach may have exposed victims to significant risks, including identity theft and financial harm. Progressive has denied any wrongdoing but eventually settled the case for $3.25 million.
Monitor medical records for suspicious activity, review medical notes, visit summaries, lab results, and updates to your personal or insurance information, especially, checking for new diagnoses, prescriptions, test results, or unauthorized insurance information.
If you spot inaccuracies, contact your provider immediately and request an audit trail to see who accessed your records and when.
Request copies of your health records and privacy documentation. More specifically, The HIPAA Privacy Rule gives patients the right to obtain:
Patients can request this information in writing. If the provider delays or denies the request without proper justification, the patient must escalate the matter to the OCR.
Patients can review their insurer’s Explanation of Benefits (EOBs) and match them against known visits. They should specifically check services they didn’t receive, chargers from unfamiliar providers or facilities, multiple claims for the same service, or conflicting dates.
Patients can also request itemized statements from your provider’s billing department. If discrepancies appear, they must contact the provider and the insurance company.
If an individual’s Social Security number, driver’s license, insurance member ID, or financial information is exposed, they must contact one of the three major credit bureaus (Equifax, Experian, or TransUnion). That bureau must then notify the other lenders to verify their identity.
Placing a credit freeze will block new creditors from accessing the individual’s credit report, especially if the health data was linked to identifying information, as it increases your risk of financial and medical identity theft.
Patients should contact their provider’s office manager, privacy officer, or IT department and ask:
Learn more: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Only if you give them permission. Under HIPAA, your healthcare provider can share your health information with a family member, friend, or caregiver only when you give verbal or written consent, or when you’re present during the discussion and don’t object. If you're unconscious or unable to make decisions, the provider may use their professional judgment to determine if sharing certain information is in your best interest.
Yes, you can request your medical records in the format you prefer, like electronic or paper copies. HIPAA requires providers to accommodate your request if they can do so without significant difficulty.
If your provider cannot produce the records in your preferred format, they must offer an accessible alternative. They are also required to respond to your request within 30 days and may only charge reasonable fees that cover the cost of copying, mailing, or preparing the records. If your provider refuses or delays without a valid reason, this may be a HIPAA violation.
As of March 2025, HIPAA violations incurs fines from $141 to $2,134,831 per violation, depending on culpability.
Tier 1 penalties apply to unintentional violations ($141–$35,581), while Tier 2 covers breaches due to reasonable cause ($1,424–$71,162). Tier 3 applies to willful neglect corrected within 30 days ($14,232–$71,162), and Tier 4 penalizes uncorrected willful neglect with the highest fines ($71,162–$2,134,831).
These fines adjust annually for inflation, and severe cases may result in criminal charges, reputational harm, and mandatory corrective actions.