HIPAA compliance and enforcement dashboard showing audit findings, an overdue risk analysis, and a settlement case-tracking table on dual monitors in a dental office

The fastest way to understand HIPAA is not to read the rule. It is to look at what the government has actually fined people for.

These HIPAA violation examples are real enforcement actions from the HHS Office for Civil Rights, and most of them are not the massive insurer breaches that make headlines. They are small practices, including several dental offices, penalized for ordinary mistakes: answering a Yelp review, being slow to hand over records, or never running a risk analysis. Every dollar figure and every case below is drawn from OCR’s own published settlements. Read them as a warning list, because the offices that got fined were not doing anything most practices would consider reckless.

Social Media and the Front-Desk Reflex to Respond

The most avoidable violations in dentistry come from responding to online reviews. It feels like customer service. To OCR, it is an impermissible disclosure of protected health information.

1. Elite Dental Associates: $10,000 for a Yelp Reply

A Dallas dental practice responded to a patient’s Yelp review by disclosing her last name and details about her health condition, treatment, and insurance. OCR settled with Elite Dental Associates for 10,000 dollars in 2019. The practice was defending its reputation. It disclosed a patient’s information to the entire internet to do it.

2. New Vision Dental: $23,000 for the Same Mistake, Worse

A California practice went further, posting Yelp responses that revealed the full names of patients who had reviewed under nicknames, along with their visit and insurance details. OCR settled with New Vision Dental for 23,000 dollars in 2022. Identifying an anonymous reviewer by name is exactly the kind of disclosure a practice controls entirely and still got wrong.

Being Slow to Hand Over Records

Patients have a right to their own records, quickly and at a reasonable cost. OCR ran a Right of Access Initiative that penalized dozens of providers for missing that, and three of them were dental practices settled on a single day in 2022.

3. Great Expressions Dental Center of Georgia: $80,000

A patient waited over a year for records, and the practice charged a copying fee that was not based on actual cost. OCR settled with Great Expressions Dental Center of Georgia for 80,000 dollars. The lesson is two-part: provide records promptly, and never overcharge for them.

4. Family Dental Care: $30,000

A Chicago practice took more than five months to provide a former patient a complete set of records. That delay alone, settled in the same 2022 action, cost 30,000 dollars. There was no breach, no hacker, and no lost laptop. Just a request that sat too long.

5. Paradise Family Dental: $25,000

A Las Vegas practice failed to give a mother copies of her own and her minor child’s records, which were requested repeatedly across most of a year before finally being sent. The 25,000 dollar settlement is a reminder that access requests from a parent for a child’s records carry the same clock as any other.

The Violation Behind Almost Every Big Fine: No Risk Analysis

When you move up to the large penalties, one failure appears again and again. The organization never conducted a thorough security risk analysis, so when an attacker got in, there were no defenses and no record of due diligence. This is the single most cited failure in HIPAA enforcement.

6. Anthem: $16 Million

The largest HIPAA settlement on record. A cyberattack exposed the data of nearly 79 million people, and OCR found the insurer had failed to conduct an enterprise-wide risk analysis and lacked adequate controls. Anthem settled for 16 million dollars in 2018. The scale is enormous, but the root failure is the same one that catches a solo office.

7. Doctors’ Management Services: $100,000 and a First

This was OCR’s first-ever ransomware settlement. A practice management company was hit in 2017, affecting more than 206,000 people, and OCR found it had failed to run an accurate risk analysis and review its system activity. The 100,000 dollar settlement in 2023 signaled that a ransomware attack is not just a crime you suffered. It is a compliance failure OCR will examine.

8. Comprehensive Neurology: $25,000

A small New York practice was hit by ransomware that encrypted its network and affected about 6,800 people. OCR’s 2025 settlement, at 25,000 dollars, again came back to a missing risk analysis. A practice this size is far closer to a dental office than Anthem is, and the finding was identical.

9. Comstar: $75,000

A vendor suffered a ransomware breach affecting more than 585,000 people, and OCR again cited the failure to conduct a thorough risk analysis in its 2025 settlement of 75,000 dollars. OCR now runs a Risk Analysis Initiative, and nearly every recent action traces to the same root cause. If you take one thing from this list, take that.

What a HIPAA Violation Actually Costs

Civil penalties are set in four tiers based on how culpable the provider was, from an honest mistake to willful neglect that was never fixed. The amounts are adjusted for inflation every year. These are the figures in effect for 2026.

Tier Culpability Minimum per violation Annual cap OCR applies
1 No knowledge of the violation $145 $36,506
2 Reasonable cause, not willful neglect $1,461 $146,053
3 Willful neglect, corrected $14,602 $365,052
4 Willful neglect, not corrected $73,011 $2,190,294

One nuance worth knowing: the per-violation minimums are set in statute, but the graduated per-tier annual caps above reflect OCR’s own enforcement-discretion practice, first announced in 2019. The current statutory text still applies the highest cap, 2,190,294 dollars, across all four tiers. In practice OCR penalizes lower tiers against the lower caps, but the law on the books has not been formally amended to match.

The tier is not about the size of the breach. It is about whether you were making a good-faith effort and whether you fixed the problem once you knew. A practice that documented its risk analysis and acted on it lands in a very different tier than one that ignored the requirement for years.

How Dental Practices Stay Off This List

Look back at the nine cases. Two were review responses. Three were slow record requests. Four were missing risk analyses. Not one required a sophisticated attacker to become a fine. They required a practice to skip something ordinary.

Staying off the list is mostly about the same handful of habits: run and document a risk analysis, take patient record requests seriously and answer them fast, and never disclose anything about a patient in a public reply, no matter how unfair the review feels. For a fuller run-down, these are the HIPAA violations dental practices commit most often and how to avoid them in your own office. You can also see where breaches land publicly on the government’s HIPAA breach reporting portal, and how the largest incidents in the field actually happened in our roundup of the biggest dental data breaches.

The uncomfortable truth in this list is that none of these practices thought they were doing anything wrong. That is exactly why the risk analysis matters. It is the one exercise that turns “we assumed we were fine” into “we checked.”

HIPAA Violation Examples FAQs

What is the most common HIPAA violation for dental practices?

Two patterns dominate real enforcement against dental offices: disclosing patient information in response to online reviews, and failing to provide patients their records promptly and at a reasonable cost. Both appear in multiple OCR settlements against dental practices. Neither involves a hacker. They involve everyday front-desk and office decisions that quietly cross a compliance line.

Can a dental practice be fined for responding to a Yelp review?

Yes. Both Elite Dental Associates and New Vision Dental were penalized by OCR specifically for disclosing patient information in review responses. Even confirming that someone is a patient, or referencing their treatment, is a disclosure of protected health information without authorization. The safe practice is to respond to all reviews with a generic message that never acknowledges any specific patient or visit.

How much can a HIPAA violation cost?

It depends on culpability. Penalties run in four tiers, from a minimum of 145 dollars per violation for an honest mistake up to an annual cap of roughly 2.19 million dollars for willful neglect that is never corrected. Real dental settlements have ranged from 10,000 to 80,000 dollars. The amount turns heavily on whether the practice made a documented good-faith effort to comply.

What single step prevents the most HIPAA violations?

A documented security risk analysis. It is the failure cited in nearly every large OCR settlement, including the recent ransomware cases, and OCR now runs a dedicated Risk Analysis Initiative around it. Performing one, writing it down, and acting on what it finds is the closest thing there is to a single control that keeps a practice off the enforcement list.

Posted in Dental Cybersecurity

Filter By: