chat icon


Most Common HIPAA Violations

The number one most common HIPAA violation is mishandling patient records. This occurs most often when patient files are on paper records. This can result in the healthcare provider or an employee forgetting the record in a patient’s room, which allows other patients to access it. Patient records should always be kept in a private, secure area.

Throughout this article, we will be discussing what HIPAA is, what it means to violate HIPAA rules, the consequences that follow a violation, and some of the most common examples of HIPAA violations. 

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects personal medical history and other private information from being shared with individuals or organizations that intend to sell or use the information for personal gain. HIPAA is a federal law created by the US Department of Health and Human Services, therefore, violating HIPAA rules could be considered a crime. 

HIPAA Covered Entities

Covered entities are any healthcare providers, health plans, or healthcare clearinghouses. Any individual or organization that fits under the following description of these three groups is required to follow HIPAA rules. 

Protected Health Information

Protected Health Information (PHI) is any personal information that healthcare providers collect to identify or determine appropriate care for an individual. This could include information like:

PHI Identifiers

HIPAA has a list of 18 different personal health identifiers that can become PHI if paired with health information. Some of these identifiers by themselves may allow an individual to be identified, contacted, or located. The 18 identifiers are as follows:

  1. Name
  2. Address
  3. Dates
  4. Phone number
  5. Fax number
  6. Email address
  7. Social security number
  8. Medical record number
  9. Health plan beneficiary
  10. Account number
  11. Certificate or license number
  12. Vehicle identifiers and serial numbers
  13. Device identifiers and serial numbers
  14. Web URL
  15. IP address
  16. Biometrics ID
  17. Full-face photographs
  18. Identifying characteristics, like tattoos or piercings

What is a HIPAA Violation?

A HIPAA violation happens when the access, use, or disclosure of PHI results in a significant personal risk for the patient and their identity. This regulation concerns everyone that works with PHI, including:

Best Way to Avoid HIPAA Violations

There are many ways to prevent or avoid a HIPAA violation. As an employer, one of the most important things you can do is ensure that your employees have received proper training when it comes to understanding and following the HIPAA guidelines. Some other great ways to avoid an intentional or accidental violation of the HIPAA rules are:

Consequences of HIPAA Violations

Civil penalties may be issued by the US Department of Health and Human Services if a HIPAA violation were to occur. The Office of Civil Rights (OCR) has the responsibility of analyzing official complaints for potential HIPAA violations. There are four tiers of civil penalties; each tier and consequence is based on the severity and number of violations. These four tiers are as follows:

Criminal Penalties

If a potential criminal violation of the HIPAA rules is being investigated, the OCR can refer the violation to the Department of Justice for review and further investigation. Criminal penalties for HIPAA violations are not common; however, if the intentions behind the violation are determined to be criminal, then criminal penalties will be necessary. There are only three tiers for criminal violations. They are as follows:

More HIPAA Violation Examples

Aside from the examples we discussed earlier in this article, there are many common ways for HIPAA violations to occur. Some are a little less obvious than others and can potentially be overlooked. This is why understanding what causes HIPAA violations is so important.

Employees Exposing Patient Information

A patient’s health information and medical histories are required to be kept protected and private. Healthcare employees who talk about their patients with unauthorized coworkers, family, or friends are violating HIPAA rules and will end up having to pay some hefty fines. Healthcare providers and employees are not allowed to share patient information with their friends, family members, third-party individuals, or other organizations. 

If a discussion is necessary in providing the best patient care, healthcare providers and employees should only discuss patient information in private places and only with other medical professionals. 

Texting a Patient’s Private Information

While texting private information may seem faster and more efficient, it also gives hackers and overlookers the ability to get their hands on that private information. If you get caught putting a patient’s full name or other private information in a text, even if it is informational, you will end up with a fine on your hands. 

Discussing Information Over The Phone

Another potential HIPAA violation that can be easily overlooked is discussing private information over the phone. You need to always be aware of your surroundings when discussing patients’ private health information over the phone. Ensure you discuss this in a private place where no one can hear the conversation. 

When contacting an individual, it is important to always ensure that the person you are speaking with is actually the patient. Asking for them to verbally confirm their birthdate or last four of their social security number can be an efficient way to identify the individual. 

Employees Accessing Patient Files Without Authorization

This is one of the most common HIPAA violations, and the ultimate cause for someone to make this decision does not matter in the end. Accessing patient information without the proper authorization is illegal, even if your intentions are good. 

Using PHI for Personal Gain

Accessing or selling an individual’s PHI for personal gain is also very illegal. Not only is this a HIPAA violation, but it is also a criminal offense and will most likely cause you to serve time in prison. 

Data Breach Notification Rule

The HIPAA Breach Notification Rules require HIPAA covered entities as well as business associates to provide notification to the local law enforcement following a data breach of PHI. It also applies to vendors of personal health services and their third-party service providers. 

Define Breach

Generally, a breach is an ill-intentioned use or disclosure of a patient’s PHI under the Privacy Rule, which compromises the individual’s security and privacy. However, if the covered entity or business associate can prove that there is a low probability that the PHI was compromised, then it would not be considered a breach.


Following a breach of PHI, covered entities are required to notify the individuals that would be affected that the breach occurred. In some cases, they also must notify the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate level. 

Three Types of Data Breaches: HIPAA

There are three different types of data breaches, each one sharing the same amount of risk and consequences but are unique in the way they were performed. The three types of data breaches are listed below: 

Our Safety Training

Here at Hard Hat Training, our courses are updated whenever any formal changes are made to the applicable safety standards. This enables us to provide our customers with the most thorough and up-to-date training options for employees. Our overall goal is to make safety training courses fun and engaging. Our HIPAA Training course is ready for purchase today!