19 Most Common Examples of HIPAA Violations

Learn the most common examples of HIPAA violations, breaches & mistakes, that can result in substantial financial penalties.

About HIPAA Violations

HIPAA privacy violations occur when an organization working with health-related information fails to adhere to any part of the Health Insurance Portability and Accountability Act, which was signed into law in 1996.
HIPAA violations often result in substantial financial, or even civil and criminal penalties. They are due to an organization's failure to:
  • Perform a firm-wide analysis to identify security risks related to Protected Health Information (PHI)
  • Execute HIPAA-compliant Business Associate Agreements (BAA)
  • Allow through mistake or oversight unauthorized disclosures of PHI
  • Delay of notifications to patients and others affected of breaches
  • Safeguard PHI
The Department of Health and Human Services' Office for Civil Rights (OCR) imposes significant financial penalties for violations of HIPAA. HIPAA violation cases are pursued by the OCR to spread awareness to the health care community of the HIPAA Rules. HIPAA violation fines imposed can easily exceed tens of thousands or even millions. It is then vital to understand intentional and unintentional examples of HIPAA violations
HIPAA violations or often not discovered from months or even years. It is therefore important for healthcare organizations to perform regular compliance reviews. These will help make sure any weaknesses are quickly mitigated and any HIPAA violations properly reported. It is better that a healthcare organization find its own potential HIPAA violations before state or federal regulators do. If a regulator is investigating a PHI breach and determines there was no HIPAA violation, it is common they find other violations resulting in a financial penalty.
There are several factors used to determine the financial penalty:
  • How long the violation(s) persisted
  • The number of violations
  • The financial position of the health care organization or the business associate
HIPAA violations are reported typically in the following manner:
  1. The state attorney general may perform investigations into data breaches
  2. Patients or others may complain
  3. HIPAA compliance audits performed by state regulatory bodies

Examples of HIPAA Violations by Employers

  1. Failure to Perform a Risk Analysis

    One of the most common HIPAA violations is the failure to perform a risk analysis. Organizations should perform a risk analysis on an ongoing basis to help determine if there are any vulnerabilities in their systems. They should make that PHI confidentiality and integrity are always a top priority.  Existing risks will leave healthcare organization vulnerable to hackers and financial penalties.
    Some examples:
  2. Failure to Take Action on Security Risks

    A healthcare organization may identify security risks and not immediately act.  Security risks must be mitigated in a reasonable period and there should be full documentation of what steps were taken.
    Some examples:
  3. Using Non-Encrypted Lost or Stolen Laptop, Cell Phone or USB Device

    Encryption is not actually required by HIPAA regulations.  However, if it is not used then alternative security measures must be taken.  The most common HIPAA violations occur when non-encrypted devices are lost or stolen resulting in a PHI breach. In 2016, an iPhone was lost with PHI, and it did not have a password or any encryption enabled. Catholic Health Care Services of Philadelphia was fined $650,000 since over 400 people were involved.  Many states have passed laws requiring encrypted PHI files. If a security breach occurs, but the key to decrypt data is not stolen then the incident is not reportable.
    Portable devices should never be left in cars. It is also an excellent security practice to provide employees with dedicated mobile devices for their jobs, so they do not use their personal devices for work.
    Some examples:
  4. Not Executing a HIPAA-Compliant Business Associate Agreement (BAA)

    If a healthcare organization and one of their business associates do not execute a BAA, that is a violation of HIPAA. The reason for a BAA is to make sure that anybody working with PHI is aware of all the requirements of HIPAA. To be HIPAA compliant a BAA a needs to be drafted in accordance with the omnibus final rule.
    Some examples:
  5. No or Limited Employee Training

    Proper ongoing training is the key to minimizing HIPAA breaches. The culture of the healthcare and hospital organizations and their senior leadership teams must be completely focused on and diligent about protecting PHI. HIPAA breaches often result because people forget or get lax about the privacy and security processes and policies already mandated by the organization.  Technology is also rapidly evolving with new applications and complexity. New technology and a working from home (WFH) environment require employees and contractors receive continuous training to correctly learn the technology and understand the risks.
  6. Database Breaches

    Data breaches cost healthcare firms approximately $9.3 billion in 2019. Unfortunately, they are a fact of life even with a lot of cyber security defenses. Health care organizations are targeted because the sensitive data is highly value to criminals. Data breaches always create negative publicity and will hurt any healthcare organization's reputation.  It is very important to keep antivirus and malware software up to date and active on all devices and servers. Specialized hardware-based firewalls and intrusion detection are also helpful to avoid database breaches. Hospitals and health care organizations should also undertake periodic penetration and intrusion detection exercises on their infrastructure.  A well thought out plan should also include hiring an outside 3rd party organization to try to hack into the systems. This is called "white hat" hacking which is distinguished from "black hat" hacking which is malicious. This type of "good" hacking is done with the knowledge and full consent of the healthcare organization for their benefit.
  7. Right of Patients to Access Healthcare Information

    The rights of individuals to access their confidential patient information and obtain copies at a reasonable cost are fundamental to HIPAA rules. This is an important right. It allows patients to share their information with other healthcare providers as well as correct errors. If an organization fails to address a patient request for information in less than 30 days this may be a HIPAA violation.
    Some examples:
  8. Inadequate Control Surrounding Access to PHI

    After risk assessments are performed, controls must be put in place and constantly monitored to make sure that PHI is safe and available only to authorized personnel. The HIPAA violation has the most severe financial consequences.
    Some examples:
  9. Not Meeting the Two-Month Deadline for Breach Notifications

    If there is a breach a HIPAA covered entity must issue a breach notification in less than 60 days.
    Some examples:

Examples of Unintentional HIPAA violations

  1. Accidentally Sharing PHI with the Public

    Conversations between clinical co-workers about patient diagnosis, treatment, and medications should never occur in public spaces so they cannot be overheard.  It may not seem important discussing medicine around non-medical people in a public place like the hospital cafeteria. However, this kind of PHI breach can result in significant financial consequences for hospitals and healthcare organizations.
    Healthcare organizations can also inadvertently disclose PHI in ways other than a data breach. For example, a healthcare organization may disclose PHI to a patient's employer, or a person may be filmed or photographed without the patient's consent.  PHI in the form of paper records can also accidentally be disclosed by taking it offsite and then accidentally getting lost or stolen.  Healthcare organizations should be especially sensitive in today's work from home environment (WFH)  Also, emailing PHI information to the wrong person or using personal email accounts that are not encrypted can result in HIPAA breach.
    Some examples:
  2. Incorrect Disposition of PHI

    Incorrect disposal of PHI can make patients more vulnerable to public exposure of their information. PHI records should be shredded and hard drives destroyed based on industry accepted practices
    Some examples:
  3. Unsecured Records

    Any documents or files with PHI need to be kept in a secure location. Paper files should always be locked in file cabinets and never left unattended. Electronic PHI needs to be secured with strong passwords and encryption. Also, two factor authentication (2FA) to access the servers and networks are also critical. Only just a username and a strong password are not secure enough to thwart today's sophisticated hackers.  Employees should also be trained to never share login credentials since their coworkers may not have the same access rights. If an employee handling PHI steps away from their desk, then they should lock their workstation.  Specialized screen covers should also be used so that information is only viewable to the person sitting in front of the workstation.
    Antivirus and antimalware on devices with PHI should be kept secure by updating via automatic processes. Specialized hardware-based firewalls will add additional security. There is no substitute for strong passwords that are frequently changed and two-factor authentication (2FA) to thwart hackers.
  4. Employee Dishonesty

    HIPAA violations can occur if employees or contractors access PHI that they are not authorized to access. Policy training should emphasize that accessing PHI just for "curiosity" is still nevertheless a breach, and the intent does not matter as the fine will be the same. "I was just curious" is one of the most common reasons employees give when they violate HIPAA rules. People are curious about their families, friends, coworkers, and celebrities. When these violations are discovered, they may involve criminal charges. One health system in Los Angeles was fined $865,000 for failing to protect access to medical records. They found that an employee, Dr. Huping Zhou, had accessed unauthorized patient records 323 times, and for this violation he was sentenced to four months in federal prison.
  5. Unauthorized Release of PHI

    Sometimes members of the media can try to use social hacking to get information about public figures and celebrities. For instance, they might pretend they are a family member. Also, this kind of violation can happen when PHI is released to family members who are not authorized. Only clinical care and billing professionals, parents and children, and those with power of attorney have access to a person's PHI.
    When it comes to discussing PHI the principal of "need to know" should be used to decide who should be in the communication loop.  Healthcare organizations should implement access privileges with the Minimum Necessary Standards principle. Typically, those involved should be only the patient, the doctors, others care providers, and those handling medical billing.
    It is an excellent compliance best practice to make sure disclosure authorization forms are signed and maintained in patient files. The authorization form should specify what type of information is authorized for release and the expiry date of the authorization. The authorization form could also include classes of individuals, the types of PHI, and the reasons for disclosure.  Every authorization should have an expiration date otherwise it is not considered a HIPAA compliant. Care should also be taken to make sure that new authorization forms are signed if needed after an expiration date. Health care workers must also verify the identity of any individual or entity to whom they are providing PHI.

Examples of HIPAA Violations by Nurses

A good HIPAA compliance program will properly train nurses, as they are the most trusted clinical professionals. Nurses are responsible for maintaining information security of both paper and electronic PHI.  This is a very challenging role since they are the front line of patient care and very busy and multitasking. Some of the typical ways that nurses create HIPAA violations are:
  1. Disclosing PHI through speaking in public areas like the cafeteria or in the hallway.
  2. Viewing PHI for patients not under their care.
  3. Disposing of PHI in paper or electronic form without using standard approved practices.
  4. Not protecting PHI from the curious eyes of others around them. Nurses should always be sure that others are not able to view their workstation screens and paper documents.
  5. Using social media to share work-related information.
Request a Live Demo
See It In Action
Assess Your Needs
Download Tool
Try Giva's 30 Day Trial
Sign Up Today