The Most Common HIPAA Violations and Penalties and How to Avoid Them

Companies in the United States that operate in the healthcare industry must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA is a U.S. law designed to protect the privacy and security of individuals’ protected health information (PHI). When stored in digital form, this information is called electronic protected health information (ePHI).

This article discusses the most common HIPAA violations that affect businesses in the healthcare sector. Failure to comply with the regulations can result in a company receiving a substantial financial penalty and serious public relations damage.

What is a HIPAA Violation?

A violation is an unintentional or deliberate failure to comply with HIPAA’s defined standards and regulations. Three foundational HIPAA rules establish the regulations.

The HIPAA Privacy Rule

The HIPAA Privacy Rule, defines the standards used to protect individuals’ medical records and protected health information. Organizations must implement safeguards to protect the privacy of the PHI and ePHI that they store and process. Additionally, the rule gives patients rights regarding viewing and correcting their medical records.

The HIPAA Security Rule 

All healthcare providers, plans, and clearinghouses are considered covered entities and are required to comply with the Security Rule. Business associates, who are companies such as IT providers that assist covered entities in processing ePHI also must comply with the Security rule. The Security rule only pertains to the security of ePHI. The rule does not apply to PHI collected and stored using paper forms.

The Security Rule requires covered entities and business associates to take the necessary steps to:

  • Ensure the confidentiality, integrity, and availability of all ePHI;
  • Protect user data and ePHI from security and integrity threats;
  • Guard against unauthorized use or disclosure of ePHI;
  • Maintain HIPAA compliance by its workforce.

Administrative, physical, and technical safeguards required to protect ePHI are defined in the Security Rule. Failure to implement these safeguards is often the reason for HIPAA violations.

The HIPAA Breach Notification Rule

The Breach Notification Rule, defines when an organization needs to provide notification of a data breach that involves PHI or ePHI. The rule mandates that when a covered entity needs to notify the individuals impacted by the data breach publicly, they must also inform the Secretary of Health and Human Services and, in some circumstances, the media. A breach notification can tarnish a company’s reputation and result in a loss of business.

How Are HIPAA Penalties Determined?

HIPAA violations and their associated penalties are determined based on a tiered basis that considers several factors.

  • Tier 1 – Violations that the covered entity was unaware of and could not have realistically avoided;
  • Tier 2 – A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care;
  • Tier 3 – A violation that is the direct result of willful neglect of HIPAA rules where attempts have been made to correct the violation;
  • Tier 4 – A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days.

The following table sums up the fines for violations in each tier. The listed penalties have been adjusted to reflect inflation. Most Common HIPAA Violations and Tiered Penalties

What are the Most Common HIPAA Violations?

Companies violate HIPAA when they do not take the necessary precautions to protect PHI and ePHI or fail to make the required breach notifications. We will look at some of the most common HIPAA violations and how the violator could have avoided the problem.

Failure to perform an organizational risk analysis

Organizations subject to HIPAA regulations must regularly perform a risk analysis to identify vulnerabilities affecting the confidentiality, integrity, and availability of ePHI. This failure is often discovered in the wake of other HIPAA violations that could have been avoided by conducting a risk analysis.

A data breach by Banner Health in 2016 resulted in a $1.25 million penalty for failure to perform risk analysis. Companies need to complete the necessary risk analysis and document its results to maintain HIPAA compliance.

Lost devices containing ePHI

Losing desktop or mobile devices that contain ePHI is a significant problem that can easily result in a HIPAA violation and the need to initiate a breach notification. This issue has been exacerbated by the rise of the mobile workforce and many companies adopted the bring your device (BYOD) mindset. The loss of a device can put large numbers of health records at risk.

Organizations need to implement strict policies to safeguard the devices that contain ePHI. This includes securing devices behind managed access control systems when not in use and maintaining records of access requests. The risks associated with device loss can also be minimized by storing and encrypting the data using a HIPAA-compliant cloud hosting solution. This way, the loss of a device will not necessarily put ePHI at risk or necessitate a breach notification.

Unauthorized access of healthcare records

Accessing patients’ healthcare records without proper authorization is a common violation that can result in employment termination and potential criminal charges. It is less common for financial penalties to be levied against the covered entities that allow access to occur. Preventing this violation requires strong controls that limit access to ePHI on a need-to-know basis.

Physical security must also be carefully considered, with building security access control systems installed to prevent unauthorized entry to locations containing PHI and/or devices used to store ePHI. To maintain compliance with HIPAA guidelines, healthcare providers must adhere to the following access control requirements:

  • Physical access to facilities must be secured using managed access controls, access logs must also be maintained to monitor user activity and support the identification of suspicious behaviors
  • Access to software containing ePHI must be subject to password protections and automatic session timeouts to prevent intentional or accidental exposure of sensitive data, physical access to areas containing such systems must also be secured using access controls
  • Access to portable devices including smartphones, tablets, hard drives and USB sticks containing ePHI must be secured using access controls, with strict data disposal procedures in place to prevent data breaches, meaning such items must be securely wiped or entirely destroyed before disposal

Denying patients timely access to healthcare records

A common violation that can result in severe penalties is the refusal to provide patients with access to their healthcare records.

An example is the violation by two hospitals, Cignet Health ran in 2008 and 2009. Cignet should have provided the requested healthcare information to patients within the mandated 60-day timeframe. The company was fined $4.3 million for this violation.

Failure to enter into HIPAA-compliant business associate agreements

All business associate agreements (BAAs) made between a covered entity and third-party vendors must meet HIPAA requirements. A covered entity’s responsibility is to ensure all agreements comply with HIPAA regulations. All agreements should be verified for compliance before being enacted by a covered entity.

Impermissible disclosure of PHI or ePHI

Financial penalties often accompany any impermissible disclosure of protected health information. The exposure can result from careless handling of ePHI or a lost device containing unencrypted health data. In either case, the affected organization will likely need to make a breach notification.

Improper Disposal of PHI or ePHI

When health records are no longer required to be retained and their retention period has expired, they must be disposed of securely. This involves shredding paper forms and performing activities such as degaussing or destroying electronic media that contain ePHI.

Inadequate employee HIPAA training

Organizations must train their employees on HIPAA regulations properly. Failure to provide and document this training can result in violations and fines. Companies should strive to thoroughly train their employees,  as this will help prevent other types of HIPAA violations by providing everyone with the information they need to ensure the privacy and security of PHI.


Complying with HIPAA data security and privacy regulations is mandatory for businesses involved with healthcare in the U.S. Remaining in compliance is also cost-effective when compared to the financial and reputational repercussions of being penalized for a violation. In many cases, the hostile public relations accompanying a violation are far more damaging to a business than the price of the penalty. It’s in the best interests of covered entities and the patients they represent to take the necessary steps to protect PHI and ePHI.

This article has been contributed by Atlantic.Net.