Five Common HIPAA Violations

Share This Post

Table of Contents

Five Common HIPAA Violations

Healthcare is a complex business. Maintaining patient confidentiality and trust is even more challenging in such an environment, where access to sensitive information is so necessary for effective care. The HIPAA (Health Insurance Portability and Accountability Act) has been incorporated for more than 20 years now, through the United States Department of Health and Human Services. That HIPAA violations in healthcare are a common problem, with new instances continuing to crop up. In the scope of patient privacy, HIPAA stands out as one of the most important laws for healthcare providers and patients. Since its implementation, there have been several high-profile breaches involving HIPAA compliance. Fortunately, these incidents prompted healthcare professionals across the country to become more aware of their responsibilities under this law. In consequence, we see a substantial decrease in violations in recent years. However, it’s still important that you are aware of the most common HIPAA violations so that you can take steps to protect your own confidential information.

Whether large or small, even the common violations of HIPAA regulations lead to potentially serious consequences for the practice that commits the violation, and for the patients affected. Here is a look at the most frequent (and costly) HIPAA violations, as per the U.S. Department of Health and Human Services.

Unauthorized physical access to patient information is a major difficulty in the behavioral healthcare industry. Financial penalties for the violating health clinic may range anywhere from $100 to a maximum fine of $1.5 million yearly. Maintaining HIPAA compliance to keep PHI security is indispensable for both businesses and consumers.

Violation of the Rule of Use

The Rule of Use is the first rule of HIPAA, and yet it is the most often violated rule. The Rule of Use states that patient information can only be used for its intended purpose. This means that you can only use patient information for the specific reason for which it was collected. If you need to use the information for a different purpose, you must have approval from the patient. There are many ways in which healthcare workers violate this rule: 

  • They may write down notes about the wrong patient on a chart.
  • They may talk about a patient in front of other patients. 
  • They may share information with the wrong people. 
See also  Six Ways to be More Effective with Telehealth Video Visits

All of these actions are in direct violation of the Rule of Use.

Breach of Patient Confidentiality

In HIPAA violations, data breaches get a large volume of publicity. Annually, the healthcare industry loses more than $6.2 billion due to data breach. Hackers can access any organization, that’s why it is most important for each healthcare provider to take database breaches seriously and must take security measures to protect against them.  

A breach of patient confidentiality occurs when sensitive patient information is disclosed to unauthorized individuals. This can happen in person, over the phone, or online. Some of the most common ways in which breaches occur are: – 

  • Unauthorized individuals accessing medical notes. 
  • Sharing patient information with family members or friends who don’t need to know. 
  • Leaving a laptop or computer unsecured.
  • Leaving written patient information out where others can see it. 
  • Failing to log out of electronic medical records after using them.
  • Leaving written patient information lying around a waiting room or office. 
  • Not encrypting email communications with patients. 
  • Not properly securing a physical building where patients come to see you.

Many healthcare organizations choose to partner with a professional data security company to help ensure they are meeting HIPAA obligations.

Improper Use or Disclosure of Patient Information

In a normal work environment, the conversation is typically not an issue. However, healthcare practice employees may not always be able to enjoy patient discussions. Physician-caregiver interaction today is guided by specialty guidelines or procedures. It’s imperative that such conversations happen only in private, not in a public forum. Even though it may seem harmless, carelessly discussing patient information regarding non-medical practice personnel can undermine privacy and result in financial loss for the practice. Taking confidentiality into account is always an imperative matter.

See also  Technology Help Physicians and Restrict the Resignations

Patients expect their healthcare providers to keep their information private. If a healthcare provider discloses patient information without permission, it is improper to use or disclose of patient information. Some ways in which this can happen are: – 

  • Not redacting the patient’s name from a document. 
  • Sending fax with the patient’s name or other information on it. 
  • Reading patient information that has not been given to the healthcare provider. 
  • Discussing patient information with people who do not have a need to know. 
  • Not destroying patient information when it is no longer needed.

Lack of HIPPA Training

Diligence shown by the staff of a HIPAA-compliant practice is a result of the guidance offered by company leaders. Regrettably, too many mental health practitioners do not properly train their employees in the compliance components of HIPAA.

Full HIPAA training is essential to individuals’ awareness of clear HIPAA compliance issues. While smaller infractions may not create serious problems, among the most obvious compliance issues can be the result of employees’ absence of training.

A HIPAA trained staff is the assurance of safe patient, safe practice. 

Disposable of PHI Carelessly

HIPAA compliance requires thorough, correct disposal of PHI. Failure to properly dispose of PHI may result in patients being more vulnerable to their confidential medical records being exposed. 

When disposing of PHI, workers should shred or destroy patient records. Simply burning the files or throwing them away is not secure enough, and it allows PHI to be accessed by the wrong people (more so today). It’s also important for workers to wipe local and portable device hard drives that previously stored PHI if they are no longer stored on electronic drives and kept in a safe location.

See also  Patients Can Receive Streamlined Referrals and Better Care

Effective employee training can help ensure that PHI is safe and protected from the beginning of the manufacturing process all the way through to its disposal.


HIPAA is an important law for protecting patient confidentiality, and healthcare workers have a responsibility to understand it and follow it closely. Most violations relate to a lack of knowledge about HIPAA and its requirements. There are, however, some willful violations of HIPAA. This can happen when a healthcare worker is trying to get ahead of the competition by seeing data belonging to someone else or when a healthcare worker is trying to get back at a patient who has caused them trouble. It can also occur when an individual is trying to infiltrate a healthcare facility for malicious reasons. In any of these circumstances, the healthcare worker is at risk for significant fines and disciplinary action. All healthcare workers should abide by HIPAA to protect patients and to protect themselves from serious consequences.

Subscribe To Our Newsletter

Get updates and learn from the best

Top Posts

Do you want to learn more about

drop us a line and keep in touch

HIPAA-Compliant Cloud Hosting