Skip to main content

Unintentional HIPAA Violations: 8 Real-World Examples and How to Prevent Them

By Joseph Abear ·
Examples of unintentional HIPAA violations title graphic with an alert shield icon on a dark background.

Unintentional HIPAA violations are accidental uses or disclosures of protected health information (PHI), such as a misdirected email, a lost unencrypted laptop, or a cloud storage bucket left open to the public, and they count as violations even though no one intended harm. Under 45 CFR § 164.402, any impermissible use or disclosure of unsecured PHI is presumed to be a reportable breach unless a documented four-factor risk assessment shows a low probability that the data was compromised. Intent affects the penalty tier. It does not decide whether a violation occurred.

TL;DR: Quick answer

  • An accidental disclosure of unsecured PHI is presumed a breach under 45 CFR § 164.402 unless a documented four-factor risk assessment demonstrates a low probability of compromise.
  • Civil penalties effective January 28, 2026 range from $145 per violation in Tier 1 to $2,190,294 for the most serious Tier 4 cases, with an annual cap of $2,190,294 per violated provision (45 CFR § 102.3).
  • Breach notification under 45 CFR §§ 164.400-414 requires notifying affected individuals without unreasonable delay and no later than 60 days after discovery.
  • The most common accidental patterns are misdirected messages, lost unencrypted devices, misconfigured cloud storage, and vendors handling PHI without a Business Associate Agreement (BAA).
  • Each scenario below maps to a specific safeguard in 45 CFR §§ 164.308, 164.310, or 164.312 that would have prevented it.

Why does an accident still count as a HIPAA violation?

The HIPAA Privacy and Security Rules regulate outcomes, not motives. When unsecured PHI is used or disclosed in a way the Privacy Rule does not permit, 45 CFR § 164.402 presumes a breach. A covered entity or business associate can rebut that presumption only by completing and documenting a risk assessment covering four factors: the nature and extent of the PHI involved, the unauthorized person who received or used it, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.

Intent matters at the penalty stage. Under the tiers adjusted effective January 28, 2026, an unknowing violation (Tier 1) starts at $145 per violation, while willful neglect left uncorrected (Tier 4) starts at $73,011 and can reach $2,190,294. HHS Office for Civil Rights (OCR) applies a 2019 Notice of Enforcement Discretion that keeps annual maximums for Tiers 1 through 3 below the statutory cap. The full tier structure is covered in our guide to HIPAA violation fines and penalties.

Eight common unintentional HIPAA violation scenarios

1. Email or fax sent to the wrong recipient

A front-desk employee autocompletes the wrong address and a referral summary lands in a stranger's inbox. This is an impermissible disclosure the moment it leaves the building. Whether it is reportable turns on the four-factor assessment; an unencrypted message to an unknown third party rarely qualifies for the low-probability exception.

Prevention: Encrypt messages containing ePHI in transit, an addressable specification under 45 CFR § 164.312(e). Disable autocomplete for external domains, use verified recipient lists, and route patient communication through a portal rather than raw email. Our comparison of HIPAA-compliant email encryption services covers the practical options.

2. Lost or stolen unencrypted laptop, phone, or USB drive

Device loss is one of the most frequently reported breach causes in OCR's public breach portal. The compliance difference is encryption. PHI encrypted to the standards in HHS guidance is not "unsecured PHI" under § 164.402, so losing a properly encrypted, locked device generally does not trigger notification. Losing an unencrypted one almost always does.

Prevention: Full-disk encryption on every device that can touch ePHI, per the addressable encryption specification at 45 CFR § 164.312(a)(2)(iv), plus a device inventory and remote-wipe capability under the device and media controls at § 164.310(d).

3. A cloud storage bucket left open to the public

A developer uploads intake-form exports to an Amazon S3 bucket for a migration and forgets to restrict access. Security researchers and scrapers index open buckets constantly, so exposure windows of even a few days can mean actual acquisition by unknown parties, which weighs heavily against the low-probability exception in the four-factor test.

Prevention: Enable S3 Block Public Access at the account level, encrypt objects at rest, and alert on policy changes. AWS supports this configuration under its BAA, but only if you set it up correctly; see our breakdown of whether AWS is HIPAA compliant for what the AWS BAA does and does not cover.

4. Hosting PHI with a provider that never signed a BAA

A clinic launches a website with appointment forms on a generic shared host. No PHI leak has happened, but the arrangement itself violates 45 CFR § 164.308(b) and § 164.504(e), which require a Business Associate Agreement before a vendor creates, receives, maintains, or transmits ePHI on a covered entity's behalf. OCR has settled cases on this basis alone.

Prevention: Inventory every vendor in the data path (host, form processor, email relay, backup service) and confirm a signed BAA for each. Our HIPAA-compliant hosting guide explains what a hosting BAA should include.

5. PHI in server logs, error reports, and backups

Form submissions logged in plaintext, stack traces that capture request bodies, and debug emails to developers all create unmanaged copies of ePHI. These copies often sit on systems with no access controls, no encryption, and no retention policy, and they are easy to forget during a risk analysis.

Prevention: Scrub request bodies from application logs, mask form fields in error tracking, and encrypt backups. Audit controls under 45 CFR § 164.312(b) require recording activity on systems containing ePHI, which is only possible if you know where those copies live. The controls are detailed in our overview of HIPAA hosting security measures.

6. Tracking pixels and analytics scripts on patient pages

Advertising and analytics pixels on appointment booking or patient portal pages can transmit identifiers plus health context (page URL, condition searched, appointment type) to third parties such as ad platforms. OCR addressed this in its online tracking technologies guidance, and multiple health systems have reported breaches and faced class actions over pixel disclosures. No BAA, no permissible disclosure.

Prevention: Remove third-party trackers from any page where users enter or view health information, or replace them with server-side, BAA-covered analytics. Treat tag managers as a change-controlled system, not a marketing free-for-all. The full rules are in our guide to HIPAA tracking technologies.

7. Improper disposal of paper records or storage media

Charts in an unlocked dumpster or a decommissioned server resold with its drives intact are classic accidental disclosures. The device and media controls at 45 CFR § 164.310(d)(2)(i) require policies for the final disposition of ePHI and the hardware it lives on.

Prevention: Cross-cut shredding for paper, cryptographic erasure or physical destruction for drives, and a certificate of destruction from any disposal vendor, who also needs a BAA if they handle PHI.

8. Employee snooping and excess access rights

A staff member looks up a neighbor's record out of curiosity, or an employee keeps full EHR access years after changing roles. Both violate the minimum necessary standard at 45 CFR § 164.502(b) and the access management requirements at § 164.308(a)(4), even when nothing is shared externally.

Prevention: Role-based access, quarterly access reviews, immediate deprovisioning on role change, and audit log monitoring under § 164.312(b) so snooping is detected, not discovered by accident years later.

What should you do after an accidental disclosure?

  • Contain and document. Stop the exposure, preserve evidence, and record the timeline. Documentation must be retained for six years under 45 CFR § 164.316(b)(2)(i).
  • Run the four-factor assessment. Apply § 164.402 to determine whether the presumption of breach is rebutted, and write the analysis down.
  • Notify on time if required. Affected individuals must be notified without unreasonable delay and within 60 days of discovery (§ 164.404). Breaches affecting 500 or more people require notice to HHS and prominent media at the same time (§§ 164.406, 164.408); smaller breaches are logged and reported to HHS within 60 days after the calendar year ends.
  • Fix the root cause. Update the risk analysis required by § 164.308(a)(1)(ii)(A) and the corresponding safeguard, then retrain the people involved.

Frequently asked questions

Is an accidental HIPAA violation still a violation?

Yes. HIPAA liability does not depend on intent. An unknowing violation falls in Tier 1 ($145 to $73,011 per violation as of January 28, 2026), while willful neglect falls in Tiers 3 and 4.

Is every accidental disclosure a reportable breach?

No. Under 45 CFR § 164.402, a disclosure of unsecured PHI is presumed a breach, but a documented four-factor risk assessment can show a low probability of compromise. Disclosures of properly encrypted PHI are not "unsecured" and generally are not reportable.

How long do you have to report a HIPAA breach?

Affected individuals must be notified within 60 days of discovery. Breaches affecting 500 or more individuals also require contemporaneous notice to HHS and the media; smaller breaches are reported to HHS annually (45 CFR §§ 164.404-408).

Can a small accidental breach still draw an OCR penalty?

Yes, particularly when it reveals a missing safeguard such as no risk analysis or no BAA. Prompt correction within 30 days is a defense for violations not involving willful neglect.

Where to go from here

Five of the eight scenarios above involve the web and hosting layer: open buckets, missing BAAs, leaky logs, tracking pixels, unencrypted transit. Hosting that is built for ePHI removes most of that surface by default. We offer managed HIPAA-compliant WordPress hosting with a signed BAA, encrypted infrastructure, and hardened logging; that is our service, so weigh the recommendation accordingly. For the underlying requirements, start with our guide to HIPAA's administrative, physical, and technical safeguards.

This article is general information, not legal advice. Consult qualified counsel and base your safeguards on a documented risk analysis specific to your organization. Reviewed June 2026.

Sources

← Back to all posts