5 Most Common HIPAA Privacy Violations

The HIPAA Privacy Rule was put in place to provide rights to access and amend our protected health information (PHI), appropriate disclosures and help reduce fraud, waste and abuse. If your facility and its network aren’t HIPAA compliant, the costs may be significantly higher than taking action. HIPAA compliance violations erode the trust between a healthcare provider and patients. They can result in hefty fines (up to millions of dollars) or even criminal charges (as stated in the HITECH Act Criminal Penalties, failure to report a breach of greater than 500 individuals to HHS could result in jail time).

That’s one risk you just can’t afford to take.

Take a look at these 5 most common HIPAA privacy violations and learn what preventive measures you can take to avoid these violations and their severe penalties.


1. Losing Devices

In the last decade, over 800 device loss or theft incidents have been reported. The biggest problem with HIPAA compliance today is devices with stored patient health information, i.e. desktop computers, laptops, tablets and smartphones, being stolen or lost.

This violation includes work devices and your own personal devices if you use them to access this information. Mobile devices are the most vulnerable to theft and misplacement because of their smaller size and portability.

Solution: Keep a watchful eye on your devices and lock them up when you’re not around. Secure your files on these devices with encryptions and use a cloud hosting solution for remote access. 95% of identity theft comes from stolen medical information, so exposing devices to cybercriminals can lead to a significant breach of patient trust and result in millions of dollars in fines. 

While encryption won’t reduce the cost of the device or time to rebuild or recover the user’s system, it can alleviate the need to notify HHS of a breach of greater than 500 individuals.

2. Getting Hacked

Data from several healthcare network servers have been hacked over the last few years, and the numbers continue to rise. In 2021, 50 million individuals were affected by a healthcare data breach – 15% of the US population at the time. This issue has become even more prevalent with the advent of technologies like telemedicine, cloud storage, and digital communication. 

These servers have PHI for hundreds to millions of patients, so when these skilled hackers — who are only getting better at what they do — get their hands on them, they leak this information out or sell it to the highest bidder. Some of this information includes Social Security numbers, birth dates, addresses and insurance information.

Solution: Use a HIPAA compliance software tool to assist you in regular privacy and breach compliance checks. Automate reminders to rotate encryption keys and certificates, and build a robust incident response plan with your IT team if any protocols are breached. Take necessary security measures, like encryption and deep-packet inspection firewalls that can block phishing or other malware attacks, to safeguard PHI.

47% of healthcare data breaches come from hackers, and it is the responsibility of covered entities and business associates to take necessary security measures, like encryption and deep-packet inspection firewalls that can block phishing or other malware attacks, to safeguard PHI. If hacking occurs, the Office of Civil Rights (OCR) will look for proof that entities implemented proper safeguards to protect from hacking, so organizations must utilize a tool that enables year-round compliance. 


3. Employees Dishonestly Accessing Files

In 2021, employees were responsible for 39% of healthcare breaches, compared to 18% in other industries. 

Unfortunately, you can’t trust everyone. Sometimes, staff misconduct can lead to a severe breach of HIPAA compliance, commonly in the form of snooping through medical information without proper access.  

Staff may do this out of curiosity, spite or because a friend or relative asked them to. No matter their excuse, it’s unethical, but it still continues to happen. 

This problem is amplified when accounts are shared between physicians and their employees. Physician staff may use the Physician’s System user account, assuming they will not be held accountable for these activities. 

Solution: The first step in preventing staff misconduct is to hire only after thorough background checks, but sometimes even the most thoroughly vetted employees can mishandle patient information. To avoid violations, implement policies and procedures with annual HIPAA Security training enforcing unique User IDs, passwords, passcodes, user ID codes and/or clearance levels to discourage employees from accessing patient files they’re not authorized to see.

4. Improper Filing and Disposing of Documents

In 2021, HealthReach Community Health Centers in Waterville, Maine, notified over 100,000 patients of a health data breach that resulted from improper disposal of medical records. 

When using a paper filing system, there will likely be some human error resulting in an employee incorrectly filing a patient’s record or accidentally getting rid of a document without first shredding it. Sometimes people just have a bad day or get distracted. Mistakes happen, but they happen more often with this system.

Solution: Establish Policies and Procedures to ensure any ePHI or personally identifiable information (PII) on paper is locked at night or stored in secured disposal bins prior to shredding. Switch over to an electronic filing system or ensure everyone double and triple checks they correctly file and dispose of documents.


5. Releasing Patient Information After the Authorization Period Expires

Patients deserve transparency and easy access to their records. New updates to the HIPAA privacy law require covered entities to respond to patient requests for records in 15 days instead of the previous 30-day window. Failure to adhere to this timeline is a direct violation of HIPAA regulations. Your entire organization must comply with this rule to avoid penalties. 

But what if you don’t fulfill a request on time? There are expiration dates on HIPAA authorization forms. 22% of healthcare cybersecurity incidents are caused by insider error, and this is one common example: Too many times, someone hasn’t paid close enough attention to the expiration date when a request for a release of information comes through and ended up sending out that information even though they shouldn’t have

If a request is past the expiration date, you must complete a new HIPAA authorization form. 

Solution: Set automated reminders to keep your teams on task and on time. You can set reminders in software solutions like project management platforms, ITSM software, or a HIPAA compliance solution. Additionally, verify the expiration dates for HIPAA authorizations before releasing any information. Complete a new form if needed. See HIPAA Reference: §164.508(a)(1)-(3), §164.508(b)(6), §164.508(c)(1), §164.508(c)(2), §164.530(j) 

Another preventive method is performing a HIPAA self-assessment. A self-assessment shows any high-risk vulnerabilities or gaps in compliance your facility and network have, so you can then create an action plan to remediate those issues. 

Once you gather information about your teams, operations, processes, and policies through an assessment, you will get insight into any weak points or potential vulnerabilities for breaches, cyberattacks, or HIPAA compliance failures. 

Protect Patients and Your Organization With the Right Tools

HIPAA violations can be devastating, but there are measures you can take to protect your patients and your organization. Conduct regular HIPAA risk assessments, train your staff correctly, set automated reminders, and implement a HIPAA compliance solution to avoid security gaps. Learn more about how you can stay secure with HIPAA One.