20 Most Common HIPAA Violations You Should Avoid in 2024

What is a HIPPA violation?

What is a HIPAA Violation?

A HIPAA violation is noncompliance on the part of a HIPAA-covered entity with the standards set by the Health Insurance Portability and Accountability Act of 1996. Examples of HIPAA violations include:

  • Unauthorized access to Protected Health Information (PHI) 
  • Failure to perform an organization-wide risk assessment 
  • Lack of a risk management process 
  • Inadequate ePHI access control 
  • Failure to use encryption 
  • Impermissible disclosure of PHI 

The 10 Most Common Violations

The U.S. Department of Health and Human Services (HHS Office of Civil Rights) enforces HIPAA compliance and determines the appropriate penalties in cases where violations occur.

Here are 10 of the most common HIPAA violations. We’ll divide these violations into two categories: 

  • Violations that incur financial penalties 
  • Violations that do not incur financial penalties 

Violations that Incur Financial Penalties

HIPAA Violations and Financial Penalties
Violation Penalty Range
Non-Performance of an Organization-Wide Risk Analysis $100,000 – $6,500,000
Lack of a Risk Management Process $150,000 – $1,700,000
Unauthorized Access to PHI Varies
Inadequate Access Control for ePHI $111,400 – $5,500,000
Failure to Use Encryption or its Equivalent $650,000 – $3,200,000
Reporting Breaches Past the 60-Day Deadline $130,000 – $875,000
Failure to Enter HIPAA-Compliant Business Associate Agreement Varies
Lack of Employee Training Varies
Improper Disposal of PHI Varies
Reckless Use of Social Media Varies

These are HIPAA violations that incur financial penalties when discovered. Penalties depend on factors such as the gravity of the breach, how long the violation persisted, and the organization’s finances involved, and are usually imposed on a penalty per violation basis.

The Office of Civil Rights (OCR) may impose penalties on a single healthcare professional or the entire healthcare facility for up to $250,000, depending on the gravity of the violation. These violations include:

Non-Performance of an Organization-Wide Risk Analysis ($100,000 – $6,500,000)

HIPAA expects covered healthcare providers to perform a risk analysis to determine the weak spots that may leave their patient information open to compromise. Failure to do this leaves patients’ Protected Health Information (PHI) vulnerable to actions that may undermine its integrity, confidentiality, and availability. 

Lack of a Risk Management Process ($150,000 – $1,700,000)

After performing a risk analysis, organizations must have risk management processes where they find themselves vulnerable. This measure is to ensure direct action is taken immediately after the discovery of a breach. 

Unauthorized Access to PHI

Access to PHI, permitted under HIPAA following its privacy regulations, includes healthcare operations, treatments, and payments. Accessing PHI for any other reason besides these without the patient’s permission is deemed unauthorized and will attract a financial penalty when discovered. 

The law expects covered entities to make reasonable efforts to prevent such incidents. 

Inadequate Access Control for the Electronic Form of PHI (ePHI) ($111,400 – $5,500,000)

HIPAA expects covered entities to limit access to PHI on a need-to-know basis to reduce the risk of compromise. It imposes a financial penalty on organizations found in violation of this.

Failure to Use Encryption or its Equivalent ($650,000 – $3,200,000)

Encryption is the safest way to handle data in storage or transport. When data is encrypted, it remains inaccessible even when stolen (unless the decryption key is stolen, too), rendering such data useless for any malicious purpose. 

Though HIPAA does not mandate encryption, organizations should still implement such measures or their equivalent to secure their data. 

Reporting Breaches Past the 60-Day Deadline ($130,000 – $875,000)

HIPAA security regulations allow organizations to report a security breach up to 60 days after it. Failure to report a violation within the deadline could result in a financial penalty. 

Failure to Enter HIPAA-Compliant Business Associate Agreement

HIPAA expects covered entities to enter HIPAA-compliant business associate agreements with all PHI vendors. This measure can be considered compliance for vendors and ensures that such vendors handle health information as stipulated by HIPAA, even when they’re not covered entities. 

Lack of Employee Training

HIPAA mandates that covered entities provide privacy and security training for their employees and document the activity. If the government deems the compliance training of their employees inadequate, covered entities can be penalized.

However, if the covered entity can prove that it did train its employees by providing the necessary documentation, the court could decide that the specific employee in question should incur the penalties.

Improper Disposal of PHI

Covered entities must ensure that PHI is disposed of appropriately to prevent it from falling into the wrong hands. Businesses need to dispose of physical (paper) records and ensure that digital records are deleted without a possibility of a copy existing. 

Reckless Use of Social Media

The use of social media in a way that may disclose a patient’s private information is considered a HIPAA violation. Covered entities should take care to limit the use of social media in places that may compromise the organization. 

Violations Without Financial Penalties

Here are a few violations that do not result in any financial penalty but a corrective action plan. These include: 

● Discussing a patient’s PHI where other parties can hear it. 

● Charging a patient unreasonably for a copy of their PHI.

What are the Penalties for HIPAA Violations?

HIPAA violations come with penalties that may be monetary (for civil violations) and can result in jail time (for criminal offenses). The fines from these penalties mostly compensate the unfortunate victims of these violations.

Civil Penalties

These are penalties imposed when a covered entity, unknowingly or by carelessness, fails to comply with HIPAA standards. Civil penalties are divided into four tiers of increasing levels of guilt, including:

Lack of Knowledge (Tier 1)

These violations result from genuine ignorance, where the organization could prove they (or their employees) did not know of the violation.

Want to get your employees trained in HIPAA compliance? Check out our list of the top HIPAA certification programs.

Reasonable Cause without Willful Negligence (Tier 2)

In Tier 2, the covered entity is or should have been aware that its actions violate HIPAA but didn’t do it out of carelessness. 

Willful Negligence, Corrected in 30 Days

Here, the violation results from neglect on the part of a covered entity but is discovered and corrected within 30 days.

Willful Negligence But Not Corrected in 30 Days

The violation results from carelessness, and the covered entity did not take corrective action within 30 days. 

Level of Violation Minimum Penalty ($) Maximum Penalty ($)Annual Cap ($)
Tier 1 $127 $63,973 $1,919,173
Tier 2 $1,280$63,973$ 1,919,173
Tier 3 $12,794 $63,973 $1,919,173
Tier 4$63,973 $1,919,173 $1,919,173
Table 1. Civil penalty tiers

Criminal Penalties

Criminal penalties are imposed on individual health practitioners who knowingly violate HIPAA. These violations result in criminal charges, and penalties may include monetary fines, jail time, or both. 

There are three tiers of criminal violations: 

Wrongful Disclosure of PHI (Tier 1)

Here, the individual was unaware or should’ve known that their action violated HIPAA. 

Wrongful Disclosure of PHI Under False Pretences (Tier 2)

Here, the individual or organization obtained PHI under pretenses and went ahead and disclosed it, knowing that such action violates the provisions of HIPAA.

Wrongful Disclosure of PHI under False Pretenses with Malicious Intent (Tier 3)

A third-tier violation occurs when an organization obtains PHI under pretenses but does so with the plan to transfer data for personal gain or malicious purposes.

Level of violation Maximum monetary penalty($) Maximum jail time
Tier 1 $50,0001 year
Tier 2 $100,005 years
Tier 3$250,00010 years
Table 2. Criminal penalty tiers

20 Most Common HIPAA Violation Examples

We’ve covered all the different classifications and types of violations, but let’s talk specifics. Here are some concrete examples of HIPAA violations and their consequences.

1. Employees Divulging Patient Information

Preserving patient privacy necessitates strict adherence to policies. Employees must refrain from discussing patient information with unauthorized individuals, including coworkers, friends, family members, or external vendors. Employees should only discuss such details in private with authorized medical personnel.

2. Medical Records Left Unattended

Mishandling patient records poses a significant risk of HIPAA violations, particularly in clinics that still rely on paper-based systems. To prevent unauthorized access, patient records should always be securely stored in locked spaces and not left carelessly around the office.

3. Stolen Electronic Devices

Loss or theft of devices containing Protected Health Information (PHI) is a serious HIPAA violation. Proper precautions, such as password protection and timely device locking, should be implemented. Negligence, like leaving a laptop open and logged in, can render password protection ineffective. It is crucial to power down and secure all devices when not in use.

4. Texting Patient Information

Texting patient information may seem convenient, but it exposes sensitive data to potential hackers. Sharing patient names or information via text can lead to significant fines ($5k per text) and legal consequences.

5. Sharing Patient Information Through Skype or Zoom

Risks of Unsecured Communication Platforms: Skype and other similar platforms pose similar risks as texting when discussing patient information. Hackers can exploit vulnerabilities, compromising the security of patient data. Opting for HIPAA-compliant video software is crucial to safeguard sensitive communication.

6. Discussing Patient Information Over the Phone

It’s against HIPAA to discuss private information with a patient over the phone in a public area. All phone conversations need to take place in a private area.

7. Secure Email Communication

Sending PHI through email is a common HIPAA violation, as it exposes patient information to potential unauthorized access. Encryption programs and HIPAA-compliant communication platforms should be used to maintain the security and integrity of sensitive data.

8. Sharing Medical Information on Social Media

Posting patient photos on social media violates HIPAA regulations, even without accompanying names or information. Such actions may inadvertently expose patient identities and health-related information. Strict policies and training should emphasize the prohibition of posting patient-related content on personal or professional social media accounts.

9. Secure Usage of Personal Computers

Using personal computers for accessing patient information after working hours is permissible, but precautions must be taken. Screens should be turned off and passwords applied to protect patient data from unauthorized access by family members or others. Regular policy training should reiterate these measures.

10. Unauthorized Access to Patient Files

Another pervasive violation is accessing patient information without proper authorization, regardless of the reason. Employees must only access patient data when necessary for their assigned responsibilities. Curiosity or assisting colleagues should not justify unauthorized access.

The University of California Los Angeles Health System was fined $865,500 after a doctor gained unauthorized access to celebrities’ health information.

11. Misuse of PHI for Personal Gain

Using or selling PHI for personal gain is illegal and subject to significant penalties, including potential imprisonment. Employee training sessions and regular reminders should highlight the severe consequences associated with such actions.

12. Obtaining Written Consent

Before disclosing PHI for purposes beyond treatment, payment, or healthcare operations, written consent is mandatory. When in doubt, healthcare professionals should err on caution and ensure written consent is obtained to comply with HIPAA regulations.

13. Releasing Records After Authorization Date

Patient authorizations may have expiration dates, and releasing confidential records after the specified date is a HIPAA violation. Healthcare providers must exercise diligence to adhere to authorization timelines and avoid unauthorized disclosures.

14. Ensuring Proper Patient Signatures

Patient consent forms, including HIPAA, must be signed to be considered valid. Releasing information without obtaining proper signatures violates HIPAA regulations, so ensure everything is signed correctly.

15. “Need to Know” Principle for Nurses

Nurses should access patient information strictly for the patients under their care. Accessing PHI for patients assigned to other nurses is a HIPAA violation. Following the “need to know” principle ensures that patient information is only accessed by authorized individuals responsible for their care.

16. Compliance with the “Minimum Necessary” Principle

Health insurance companies require essential patient information, such as the number of clinic visits but not the complete medical history. It is crucial to adhere to the “minimum necessary” principle, sharing only the required information to fulfill operational needs to avoid unnecessary HIPAA violations.

17. Obtaining Consent for Minors

Releasing information about minors without proper parental consent is a HIPAA violation. Ensuring appropriate consent is obtained for all patients, including minors, is vital to avoid legal complications and maintain compliance.

18. Releasing the Wrong Patient’s File

Even by mistake, releasing the wrong patient information constitutes a HIPAA violation. Implementing verification processes and training staff to double-check information minimizes the risk of such errors. And when you release the information, it should go to the person authorized on the form.

19. Inclusion of the “Right to Revoke” Clause

All patient forms, including consent forms, should contain a “right to revoke” clause. Omitting this clause invalidates the forms, and any subsequent release of information to third parties violates HIPAA regulations. Ensuring the presence of this clause is essential for maintaining compliance.

20. Proper Disposal of Records

This applies more to facilities that still use paper records. Paper records should be unrecognizable when disposed of, so shredding is one option. For digital records, companies could use disintegration, pulverization, melting, or incinerating.

How Does it Affect Patients?

Carrying out actions designated as HIPAA violations results in one thing: wrongful disclosure of Protected Health Information. Not only does that violate patient privacy, but it may also result in many consequences, depending on the actors involved. Common examples of these consequences include blackmailing the patient, identity theft, cyber-attacks, and the like.

How to Avoid HIPAA Violations

A covered entity’s interest is in avoiding HIPAA violations, considering the penalties involved and the dangers they may expose patients to. Here are tips on how to do that. 

Tips for Covered Entities

HIPAA compliance for covered entities means being audit-ready at all times and entails the following: 

  • Implementing adequate access control for both physical files and electronic health records 
  • Ensuring proper employee training, with documented evidence to prove it 
  • Ensuring that vendors and other business associates are bound by HIPAA-compliant agreements
  • Ensuring that organization-wide risk analyses are carried out at intervals to determine potential risks 
  • Ensuring that a risk management plan is in place at all times 
  • Carrying out periodic audits to ensure that the organization maintains a good compliance posture 
  • Ensuring proper disposal of PHI records when needed. 
  • Honoring patients’ medical records requests 

Tips for Employees, Healthcare Providers, and Contractors

Healthcare employees can be as liable for HIPAA violations as covered entities and should be mindful of the following: 

  • Reckless use of social media to share things that may amount to wrongful disclosure 
  • Avoiding discussing patients with unauthorized parties 
  • Ensuring that PHI access devices and patient files are never left unattended to avoid loss or theft 
  • Avoiding accessing PHI without authorization 
  • Prevention of Inadvertent release of PHI to unauthorized parties 
  • Avoiding giving access to co-workers with no access rights 

How Perimeter81 Helps You Avoid HIPAA Violations and Fines

Perimeter81 has a suite of security solutions that offer your organization complete visibility into on-premise or cloud resources. Extra security measures like 2FA mean you no longer have to worry about the loss of or unauthorized access to your health

care records. Add its strong data encryption serving as an additional layer of security, and the HIPAA Breach Notification rule becomes a thing of the past. 

Thinking of nailing your compliance requirements and improving your compliance posture? Check out Perimeter81’s regulatory compliance solutions.

Want to get the latest updated information on staying HIPAA-compliant? Download our HIPAA compliance checklist.

FAQs

What are the ten most common HIPAA violations?
Some of the most common violations include the following: 
● Failure to use encryption 
● Inadequate ePHI access control 
● Inadequacies in employee training 
● Loss or theft of portable devices (with PHI access) 
● Improper disposal of PHI 
● Non-compliant business associate agreements 
● Unauthorized access to PHI 
● Failure to carry out organization-wide risk analysis 
● Lack of a risk management plan 
● Reckless use of social media 
● Discussing medical records with unauthorized individuals
Are HIPAA violations common?
Yes, HIPAA violations are widespread. Something as simple as posting photos of hospital hallways or losing a device with access to PHI can be a HIPAA violation.
What is the most severe HIPAA violation?
In HIPAA, the severity of a violation increases with the entity’s level of awareness and the time taken to initiate remediation actions. 
Considering this, the most severe HIPAA violations are those committed willfully with late remediation efforts (for civil violations), malicious intent, or hope of personal gain (for criminal violations). An example is disclosing healthcare records with the intent to cause embarrassment.
How are HIPAA violations discovered?
HIPAA violations are discovered through one of the following ways: 
Employee self-report – when an employee realizes they have violated HIPAA and reports the violation to the organization’s privacy officer or compliance officer. 
Employee reporting another employee – when an employee reports a potential violation by another employee to the organization’s privacy officer or compliance officer. 
Internal Audit – an organization audits its compliance status to determine where it may have become non-compliant. For this, it may engage the services of a compliance agency or service. HIPAA also mandates organizations report certain violations to the HHS Office for Civil Rights. 
Office of Civil Rights (OCR) audit – when the OCR initiates an investigation on the strength of a report made by an organization or a private individual, taking enforcement actions when necessary. 
How do you report a HIPAA violation?
Anybody can report a HIPAA violation through these two channels:

1. Reporting Internally – Internal reports are the first step after discovering a violation. If you’re a covered entity, you must report it to your compliance office immediately. The compliance officer is then expected to investigate the violation and take corrective actions immediately or to report to the OCR if needed.
2. Reporting to the OCR – When an employee makes a report internally and sees no remedial action after a reasonable time, HIPAA permits an employee to bypass the covered entity and report the violation to the OCR directly. It also protects the employee from any retaliatory measures that the covered entity may bring on them. After this, the OCR retains the prerogative to determine whether the complaint has merit and whether to offer technical assistance or take enforcement actions. 
What does “reduce risk to an appropriate and acceptable level” mean?
It is impossible to eliminate risk from any process, and there must always be a level of risk involved. Therefore, “reducing risk to an appropriate and acceptable level” means eliminating the risk inherent in a process so that a covered entity can bear the associated consequences.
What counts as HIPAA violations by employees?
The following counts as HIPAA violations by employees: 
● Access to PHI without patient authorization 
● Disclosure of PHI after the authorization period 
● Disclosure of PHI to an authorized party 
● Stolen or lost PHI access devices 
● Reckless use of social media 
What constitutes a HIPAA violation by business associates?
Business associates violate HIPAA when they fail to notify the covered entity of a breach within 60 days of the breach.