<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Life's like a box of chocolates 🍫 Your access shouldn't be. Register for our new webinar.

Close icon
Search bar icon

What Is a HIPAA Violation? 12 Most Common Examples

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

Summary: This article digs into Health Care Accountability and Portability Act (HIPAA) violations. Discover what they are and get examples of typical HIPAA violations in healthcare. Plus, learn how breaches are detected and reported and what you can do to protect your organization. After reading this article, you’ll clearly understand what violates HIPAA regulations and be able to identify easily avoidable violations. You’ll also learn which organization enforces HIPAA, how to file a complaint, and how to self-report breaches when required.

What Is a HIPAA Violation?

HIPAA violations occur when an organization runs afoul of the standards defined by this 1996 U.S. Federal legislation. Many HIPAA violations are related to accessing or sharing patients’ protected health information (PHI). However, violations can also include items such as not training staff or monitoring access logs.

HIPAA laws aim to modernize healthcare information in an era of digital records. They delineate patient data privacy regulations by requiring security measures around access to healthcare information with three primary rules:

  • The Privacy Rule
  • The Security Rule
  • The Breach Notification Rule

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) administers HIPAA. Since HIPAA’s debut in 1996, the U.S. Congress has augmented it with updates like the 2009 HITECH Act.

Its rules affect “covered entities”:

  • Hospitals
  • Insurance companies
  • Healthcare clearinghouses
  • Cash-only providers who don’t do business with insurance organizations

They also impact vendors who provide services to healthcare providers who might come into contact with PHI.

Examples of the 12 Most Common HIPAA Violations

What is considered a HIPAA violation? HIPAA violations span a wide range. They even include accidental HIPAA violations, for example, losing a personal cell phone that allows for access to workplace applications. Sadly, unintentional breaches don’t make them less damaging. However, many breaches stem from an imperfect understanding of what constitutes a violation. For example, one organization was fined when it had a third party convert x-rays to a digital format without a business agreement in place to ensure HIPAA regulations were met.

Since 2003, OCR has investigated almost 300,000 potential HIPAA privacy rule violations. Yet many healthcare employees still don’t know what constitutes a HIPAA violation despite the high stakes for these types of violations in the workplace. For example, any breach of HIPAA rules can result in a $50,000 fine. And obtaining PHI with reasonable cause or no knowledge of a violation can potentially result in jail time. To avoid these penalties, knowledge of examples of HIPAA violations by employees—and examples of HIPAA violations by employers—is crucial.

Categories of HIPAA breaches

HIPAA breaches can occur inadvertently or intentionally. Let’s look at the 12 common categories of breaches:

  1. Lack of HIPAA compliance training: Compliance training is required, as well as documentation of that training. Failure to provide either one often leads to a violation.

  2. Failing to perform an organization-wide risk analysis: You must perform this analysis to get detailed information about your organization’s vulnerabilities. The HIPAA Security Rule Toolkit can help you identify which areas to assess.

  3. Medical record mishandling: Stepping away from exposed computer screens or leaving paper records visible on your desk risks a greater chance of unauthorized third parties viewing PHI. It’s also common to leave physical charts in hospital rooms after a patient has moved. Increase security by requiring locked screens and using digital records. Also, develop a system to protect patient files from public view.

  4. Using unencrypted technology to share PHI: Do not share patient files in unsecured channels. In one HIPAA violation example, providers sent unencrypted PHI via email to patients. Use only devices and platforms that are protected and encrypted.

  5. Failing to plan for cyber attacks: Cyber attacks are increasingly common with so many records stored in the cloud. Ensure databases are secure and cloud providers have processes to avoid, detect, and contain breaches.

  6. Failing to get proper authorization to share records: Train employees to get written consent to share records in circumstances unrelated to treatment and billing. Also, train them to avoid sharing personal information without a patient’s consent, such as with the patient’s family.

  7. Failing to safeguard devices that might be stolen: Many cash-only providers believe the privacy rule doesn’t apply to them. But many common ways to share data don’t involve insurance and health management organizations. Computers are at high risk for theft, which poses a risk for this violation because digital devices contain protected patient information. If a theft occurs, ensure these devices are protected and patient files are inaccessible, encrypted, and secured with robust access permissions. Consider all types of devices where you keep records: computers, computer disks, phones, and USB drives.

  8. In-person discussions about patients: Casual discussions about patients violate HIPAA when they aren’t related to necessary treatment information and when they happen within earshot of employees that aren’t essential to that treatment. These unintentional HIPAA violations are examples of “gossip” HIPAA violations. Collaborations to treat a patient are acceptable but make sure they happen privately.

  9. Disclosing incorrect patient information: In busy practices, simple human error is common in transferring records. When sharing patient records with non-providers, destroy faxes, delete emails, and don’t share other patient information. Create a habit of double-checking records before errors occur.

  10. Improper disposal of PHI, digitally and physically: For authorized agents, shred physical records before taking them to the trash. With digital files, learn how to delete patient records entirely from hard drives. These situations are examples of physical HIPAA violations.

  11. Social sharing: Social media comes with various pitfalls for healthcare workers. For example, social posts have the power to make private hospital moments public. They also allow for potential sharing between patients, care providers, and the broader community. Minimize social sharing that involves the organization or patients.

  12. Forgetting a business associate contract: Vendors who work with covered entities and might access PHI must have a contract that requires HIPAA compliance. Don’t overlook this requirement.

Complex examples of HIPAA violations

For some issues, HIPAA violation examples are less clear. For example, is losing medical records a HIPAA violation? Some outcomes of record loss can violate HIPAA. According to HIPAA, patients have a right to their medical records within 30 days of a request; failure to provide them is a HIPAA violation. Losing a device or record that exposes patient records to unauthorized actors is also a HIPAA violation.

In another example of what qualifies as a HIPAA violation, law enforcement and military agencies can sometimes face a penalty for a HIPAA violation—but not always. Law enforcement agencies aren’t covered entities. However, if they operate their own medical service, only then can they face HIPAA violation fines.

What about HIPAA military requirements? The military exception means care providers can disclose PHI to military personnel to determine fitness for duty or a particular mission.

How Are HIPAA Violations Discovered?

In 2022 alone, more than 40 million health records were compromised. For the most part, responsible employees of covered entities reported these HIPAA violations to OCR. Covered entities can also uncover violations through internal auditing and self-reporting. Of course, co-workers also have a hand in reporting HIPAA violations in the workplace.

OCR’s own audits of covered entities and their business associates also reveal violations. OCR maintains an audit pool through random selection, pre-screening questionnaires, and pool selection. These audits can also occur due to a complaint or because the covered entity helps represent a cross-section of U.S. healthcare providers.

What happens after a HIPAA complaint is filed? OCR decides whether the complaint warrants investigation. It notifies the organization against which a complaint is filed. Next, it requests information related to its investigation of the claim. Covered entities must comply with OCR requests regarding HIPAA violation complaints. HIPAA stipulates that an entity should not retaliate against you for filing a complaint. Victims of retaliation can contact OCR for guidance. After an investigation, OCR finds covered entities compliant or requires them to take corrective action.

A resolution agreement is a settlement with OCR and the covered entity (or business associate) for remediation. It typically includes bringing violations into compliance and periodic reporting to the HHS. It can lead to civil HIPAA non-compliance penalties.

How to Avoid HIPAA Violations

Covered entities and individual healthcare workers have different concerns about HIPAA violations. The breadth of this law means organizations must focus on systems and training, especially for those who are just starting their career in healthcare, while employees need ways to proactively protect themselves and their careers.

Tips for covered entities

Avoiding HIPAA violations means being prepared for audits and making sure you have policies to address areas of concern in your risk analysis. Here are some items to address:

  • Regularly perform a comprehensive risk analysis.
  • Train employees and store records of employee training.
  • Ensure business associate contracts specify HIPAA compliance; also keep track of the policies you have in place with these vendors.
  • Know where you store PHI, how it’s accessed, and what policies are in place to protect it.

Tips for employees, providers, and contractors

OCR has guidance for professionals about their requirements under HIPAA. Training employees on common violations is a primary way to ensure your organization avoids HIPAA violations. Address the following areas:

  • Establish a protocol to check authorization requirements before disclosing medical information to avoid HIPAA violations by health care staff.
  • Address where discussions of patient information can occur.
  • Train contractors to not share login credentials, not to leave physical files or devices unattended, and never to share patient information on unencrypted devices.
  • Limit social media. Examples of social media HIPAA violations include employees posting hallway pictures in a healthcare facility that can compromise patient privacy in ways they never considered. Address removing current patients as contacts from social media platforms.
  • Designate a privacy and compliance officer to help manage questions, training, reports, and risk analyses. Even small organizations benefit.

How StrongDM Helps You Avoid HIPAA Violations

While your IT department has a small part to play in making sure your organization moves patient charts from room to room, it has an outsized role in protecting digital PHI. And with cybersecurity threats to healthcare institutions up 150% since the COVID-19 pandemic, its role in managing digital assets has become more critical.

That news provides little comfort to victimized entities. They’re often liable for losing patient records under HIPAA, with hefty settlement fees, and they incur significant costs to secure the systems they rely on to provide patient care. Crucial cybersecurity steps, like StrongDM’s infrastructure access platform, help prevent these breaches.

Securing access to critical infrastructure is at the heart of the StrongDM platform, helping upgrade security for PHI. With an infrastructure access platform, covered entities get:

  • Just-in-time (JIT) access to needed records. Not only does it prevent hacking, but it also ensures employees aren’t misusing records by accessing them when there’s no immediate need.
  • Auditing of sessions. Logging, alerts, and monitoring are inherent in the platform, making it possible to demonstrate an organization’s commitment to managing its records. IT, security, and compliance teams can quickly investigate HIPAA breaches and limit damages.
  • Granular control of vendor and employee access, such as one-click onboarding and offboarding, so unauthorized users never have access to sensitive files. It’s part of a secure, comprehensive authentication, authorization, networking, and auditing architecture.

HIPAA standards require covered entities to implement processes and procedures to detect and correct security violations. Access management solutions give teams a way to meet that standard. StrongDM creates administrative controls to provide employees with only the permissions they need while preventing unauthorized users from accessing records.

HIPAA Violations: Frequently Asked Questions

Many frequently asked questions (FAQs) about HIPAA center on the process when an organization has a breach, a patient or employee needs to file a complaint, or OCR audits an organization. Yet, organizations and their employees should be confident they’re not intentionally violating HIPAA regulations. Follow the guidance in our FAQs to help your organization and employees be in the know.

Where to report a HIPAA violation?

Who do you report HIPAA violations to? File a complaint with HHS. Anyone can file a complaint, and it's easy to find out how to report HIPAA violations. The simplest way to get started is through the online complaint portal. File complaints within 180 days of the violation, although HHS makes exceptions if you can demonstrate a good reason.

How to report a HIPAA violation anonymously?

OCR requires the name and contact information of those filing complaints to start an investigation. However, you can download the complaint form and mail it to OCR without your contact information, which can result in no action taken against the covered entity.

A better option is to stipulate that OCR keeps your information private. By refusing to consent to reveal your identity, you can protect yourself from backlash, and your name won’t be given to the entity if OCR initiates an investigation. Other channels for anonymous reporting include hotlines or patient surveys.

Is a HIPAA violation a crime?

Yes, a HIPAA violation is a crime. Even seemingly minor items on the list of HIPAA violations can come with steep criminal HIPAA violation penalties. For willfully violating rules, individuals can face HIPAA violation fines from $50,000 to $250,000, plus restitution. HIPAA violation consequences can also include jail time of up to ten years. What happens when you violate HIPAA? Civil fines for HIPAA violations by individuals start at $100 and can be as high as $25,000 for multiple infractions.

Is a HIPAA violation grounds for termination?

Yes, HIPAA breach penalties can result in termination. However, if the breach was accidental and “in good faith,” HIPAA rules do not designate the breach as reportable. The results of an internal investigation, the scope of the breach, and the employee’s role in it are all factors in the ultimate outcome. Penalties for violating HIPAA can range from criminal liability to increased organizational security and training.

Who can commit a HIPAA violation?

HIPAA rules apply to covered entities who work with PHI and their contracted vendors who may access their data. So, can a non-medical person violate HIPAA? Yes, absolutely. Here’s who can violate HIPAA:

  • Business associates of covered entities who might work with PHI
  • Employees
  • Healthcare clearinghouses
  • Healthcare providers and hospitals
  • Health plans
  • Volunteers, interns, contractors, and trainees of any covered entities or business associates

Who can sue for a HIPAA violation?

OCR offers guidance for individuals about their rights under HIPAA. However, patients cannot sue covered entities for violations of HIPAA alone. Individuals have some options to recover damages when they suffer harm following a privacy breach. They can bring a case against a provider on a related issue when they suffer provable injuries. Most often, the answer to whether you can sue for HIPAA violations is no. Lawsuits involving HIPAA stem from OCR and state attorneys general who take action against violators. They protect future individuals from harm but don’t provide relief for an affected individual.

When to self-report a HIPAA violation?

Breaches that demand reporting under HIPAA involve unsecured PHI that’s accessed in a way that violates the privacy rule. When that violation occurs, business associates and individuals need to report breaches to covered entities within 60 days. If the breach involves fewer than 500 records, covered entities have 60 days to report it to HHS, but organizations must report larger breaches immediately.

Manage Access and Protect Patients

Managing permissions, monitoring systems, and keeping up with compliance are long-term commitments. StrongDM makes them a little easier by automating least-privilege access, centralizing logging, and locking down your PHI to make it easier to stay HIPAA-compliant.

See how StrongDM protects your PHI from HIPAA violations. Start a 14-day free trial to get started

About the Author

, Customer Engineering Expert, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

StrongDM logo
đź’™ this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Leveraging CSA Cloud Security Matrix (CMM) for Enhanced Cloud Security
Leveraging CSA CCM with StrongDM for Enhanced Cloud Security
The CSA CCM is a cybersecurity control framework specifically designed for cloud computing. It outlines a comprehensive set of best practices and security controls across 17 domains that are designed to ensure that cloud environments are secure and resilient against an ever expanding threat landscape. The CCM framework is structured to provide clarity and actionable guidance for the implementation of security measures in a prescriptive and adaptable way for recognized compliance standards and control frameworks.
FFIEC Controls: How to Ensure Secure Access and Mitigate Threats
Ensure Secure Access and Mitigate Threats to FFIEC Controls
The Federal Financial Institutions Examination Council (FFIEC) places significant emphasis on user security controls and the mitigation of potential risks posed by privileged users. To comply with FFIEC guidelines and safeguard critical systems, strong access management measures are crucial.
Understanding ISO 27001 Controls [Guide to Annex A]
Understanding ISO 27001 Controls [Guide to Annex A]
In this article, we’ll cover the 14 specific categories of the ISO 27001 Annex A controls. You'll learn how to decide which ISO 27001 framework controls to implement and who should be involved in the implementation process. By the end of this article, you'll have a basic understanding of ISO 27001 Annex A controls and how to implement them in your organization.
NIST 800-53 Compliance Checklist: Easy-to-Follow Guide
NIST 800-53 Compliance Checklist: Easy-to-Follow Guide
In this article, we’ll explore the basics of NIST 800-53 compliance and cover the complete list of NIST 800-53 control families. We’ll also provide a 5-step NIST 800-53 checklist and share some implementation tips. By the end of the article, you’ll know how organizations can use the NIST 800-53 framework to develop secure, resilient information systems and maintain regulatory compliance.
What Are the ISO 27001 Requirements?
What Are the ISO 27001 Requirements in 2024?
To become ISO 27001 certified, organizations must align their security standards to 11 clauses covered in the ISO 27001 requirements. In this article, you’ll discover what each clause in part one of ISO 27001 covers. We’ll also take a big picture look at how part two of ISO 27001—also known as Annex A—can help your organization meet the ISO/IEC 27001 requirements.