9 Common HIPAA Violations

It’s important to be HIPAA compliant if your company or application handles Protected Health Information (PHI) and/or Electronic protected health information (ePHI).

The Centers for Disease Control and Prevention (CDC) defines the Health Insurance Portability and Accountability Act (HIPAA) as a “federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.”

Under the HIPAA Privacy Rule, Healthcare providers and organizations are required to protect and maintain the privacy of the personal health information of their patients.

HIPAA non-compliance penalties for privacy and security violations can range from $100 to $50,000 per incident, all the way up to $1.5 million per year, sanctions, loss of licenses, loss of employment, criminal charges, and imprisonment.

Protected Health Information (PHI) disclosure includes information like names of patients, dates of birth, social security numbers, medical procedures, medical test results, health insurance information, etc.

For HIPAA compliance, PHI & ePHI should be protected and secured at all times. 

Here are 9 common HIPAA violations to be aware of:

  1. Failure to Conduct a Risk Analysis + Risk Management Process  A HIPAA risk analysis should be conducted for organizations and healthcare companies on a regular basis, to determine if any protected health information (PHI) is at risk.
    A risk management process should be in place to prevent and address any identified risks.
  1. Failure to Obtain HIPAA Compliant Business Associate Agreements (BAA)  Healthcare providers and organizations must make sure all Business Associates (BA) that are hired that have access to or may come in contact with PHI are provided and sign the Business Associate Agreement (BAA) for HIPAA Compliance, and keep these signed documents on file.
  1. Employee Disclosure of Information  Employees should limit disclosure of patient information to private secured company systems and devices, taking care not to share private information with other patients, friends, family, acquaintances, media outlets, and co-workers who aren’t directly involved in the patient’s care.
  1. Poor Management & Illegal Access of Patient Records (PHI & ePHI)  The HIPAA Security Rule requires covered entities and their business associates to limit access of PHI & ePHI to authorized individuals. Patient records containing PHI & ePHI (written, printed, electronic) should be managed carefully and protected from unauthorized viewing or access.  Employees accessing patient information for reasons other than those allowed by the Privacy Rule (treatment, payment, and healthcare operations) is another common HIPAA violation. This often happens because employees may be curious and want to “snoop” on records of family, friends, neighbors, colleagues, or celebrities.
  1. Unattended, Missing or Stolen Devices  Protected health information (PHI) in computers, mobile phones, and other electronic devices often contain patient information. If this data is stolen or accessed via unattended, missing or stolen devices, the health organization can be subjected to HIPAA fines. To prevent this, ensure computers and devices follow company usage & HIPAA policies and have secure password protection and encryption. If encryption is not used, an alternative, equivalent security measure should be used.
  1. Texting PHI  Sending patient information via unsecured text messages is not HIPAA compliant. (Encryption programs are an option, but only if both sender(s) & receiver(s) have them installed.)
  1. Sharing of PHI/ePHI online without Consent  Filming or posting patient photos, names, or patient info online or on social media without consent is a HIPAA violation. (If in doubt, it’s best to refrain from posting.)
  1. Failure to Follow The HIPAA Breach Notification Rule (60 day deadline) Covered entities are required to issue timely notifications to individual victims, media, and regulators if there is a PHI data breach. Affected parties must be notified within 60 days after a PHI data breach is first discovered. 
  1. Lack of Compliance Training
    HIPAA requires regular Compliance training for all covered entities, Business Associates (BA), employees, volunteers, interns and anyone with access to patient information or who might access patient information. Untrained associates or employees are more likely to cause HIPAA violations. On an annual basis, it’s important to review, update and maintain HIPAA policies and procedures and provide updated Compliance training.


These steps are just a start, Contact Revamp Cybersecurity today to see how we simplify your HIPAA Compliance

For more info: 
HIPAA FAQs for Professionals
HIPAA Combined Regulation Text of All Rules

Contact Revamp Cybersecurity today to see how we can help your company become cyber secure.

Book a Free Consultation:

Ask Us Anything for FREE! https://revampcybersecurity.com/ask-a-cybersecurity-expert


Sign up now to stay informed to help keep your company safe and secure.



Sign up for our Custom Weekly Newsletter, which includes Special Offers, Free Services, and more!
Share This