HIPAA Violation Examples – WheelHouse IT

Credit card phishing attack concept, stealing credit card details with fishing hook on laptop keyboard

With fines reaching $50,000 per occurrence and a maximum annual penalty of almost 2 million dollars, it’s imperative to ensure your medical practice is HIPAA compliant at all times. While every possible violation should be considered a threat to your company however some come up more than others do in today’s worldwide technology-driven society with its ever-connected gadgets where everything seems accessible from anywhere no matter how secure they may seem on any given day.

HIPAA is a federal law that regulates the privacy, security, and human resources of health care providers. While it’s designed to ensure your sensitive information remains safe from prying eyes – many people have found ways around these laws before you even get started! 

15 Most Common Hipaa Violation Examples

Here are the 15 most common examples of HIPAA violations:

Accessing PHI from Unsecured Location

When it comes to the security of your employees’ personal information, you can’t afford any leaks. That’s why we recommend that all staff members keep documents with PHI in a secure location at all times and physical or digital files should be locked away from prying eyes or digital access alike – encrypted whenever possible!

On the other hand, failure to keep a record of the protected health information of patients is a common violation of HIPAA. It is also common to neglect to follow the privacy and security policies of a patient’s provider. For example, a doctor or any authorized individual might not be able to protect their patient’s information if the doctor doesn’t want to keep it. Keeping patient records will help protect the patients’ privacy and well-being.

Lack of Encryption

Encryption is a simple way to protect your patients’ data. If you lose or steal the device that contains their information, they will be protected from malicious hackers who want access at any cost! Even if an individual’s password were somehow compromised on another system (such as hacking incidents), encryption would keep them safe because only those authorized with special decryption keys can unlock it; making misinformation impossible when trying to compromise someone’s personal info via this route.

Getting Hacked OR Phished

Medical practices must take every reasonable step to protect against common hacking methods. Keeping antivirus software updated and active on all devices containing ePHI is a great place to start, as well as using firewalls with strong passwords that are changed frequently will provide additional protection for your practice’s information assets in this ever-changing world of cybercrime.

Employee dishonesty

Some of the most common HIPAA violations are snooping on health care records and not notifying patients. While this is a clear violation, the ramifications of this action are often not as obvious. There are some common ways to violate HIPAA, however, and these can lead to disciplinary or corrective action or even lawsuits.

Unauthorized Access

One of the most common HIPAA violations is unauthorized access to patient data. Employees must take care not to give access to health information to coworkers who may not have the same access rights.

If an employee is caught accessing a patient’s health information without authorization, the healthcare provider can face hefty fines, and the state attorney general can order an investigation into the breach.

Loss or Theft of Devices

Another common violation involves lost company devices. Medical practices must ensure that their devices are secure by installing encryption, multiple passwords, and other theft-deterrents. Limiting access to devices and data based on employee status and job function helps prevent loss or theft of sensitive medical information.

Unauthorized release of information

If a patient’s medical records are shared with an employee, it is also a HIPAA violation. The information contained in the medical records is confidential. If someone has access to private health information without permission, they can face big fines. This is the most common HIPAA violation and should be avoided at all costs. Luckily, the Office for Civil Rights conducts investigations into data breaches. The Office of Civil Rights can also conduct an investigation, so it’s important to keep employees and other employees abreast of the law.

A recent case involved a Texas hospital employee who accessed 596 patient digital files for personal gain. The violation was not intentional and was made with the best intentions. If the same situation occurs at your facility during healthcare operations, you must act immediately to protect patient privacy. If you don’t comply, HIPAA audits will likely be ineffective and could lead to criminal charges. Moreover, if you haven’t taken steps to ensure compliance, you’re likely to be subject to the same penalties.

Lack of Employee Training

Regardless of whether you’re a small or large healthcare provider, HIPAA can be a complicated process. It’s easy to get confused by all of the regulations. Even if you have a clear understanding of the law, mistakes can still occur. Here are some examples: negligently handling patient information, social media (like a Facebook post), and texting on a mobile device.

The same rules apply to social situations. While these situations can lead to huge fines, preventing these violations is not impossible. Investing in proper compliance training and education will help to prevent HIPAA violations. And starting in 2019 there are stricter audits and guidelines to follow.

In addition to the legal issues, several other potential HIPAA violations may affect your business. An example of a potential violation would be, if you have a computer that has a password-protected patient file, you must make sure the password is not visible to anyone except the employees. This violation will cost you dearly. Therefore, it’s important to invest in proper HIPAA training and education for your employees.

Gossiping or Sharing Information

If you are a care provider with access to patient health information need to be careful about what they discuss when talking outside work. Even vocalizing certain topics or accidental disclosure can result in violation fines or other penalties so it’s best not to broadcast anything related unless necessary!

Disposal of PHI

It’s possible to violate HIPAA by using a computer that contains protected health information in an unsafe way. Some of the most common HIPAA violations involve social media platforms, (such as social media posts), and texting. In some cases, it involves improper disposal of records. If these things happen, the penalties can be steep. These violations can lead to costly civil lawsuits. You and your business associate should take steps to avoid them.

Failure to Perform an Organization-Wide Risk Analysis

HIPAA compliance requires thorough risk analysis. This means looking at every aspect of your organization from top to bottom. There are many ways to do this but one of the simplest methods is to conduct a comprehensive audit. 

Failure to Manage Security Risks Lack of a Risk Management Process

The security risks associated with healthcare data are significant. They include theft, loss, unauthorized use, misuse, unencrypted storage, and unapproved sharing. To manage these risks, you must develop a comprehensive plan. This includes defining policies, procedures, and protocols. You must also establish a system to monitor and enforce compliance. A good place to start is by conducting a risk assessment.

Failure to Enter into a HIPAA-Compliant Business Associate Agreement

You must enter into a business associate agreement (BAA) with each company that provides services to you. The BAA defines how both parties will share information and protects the privacy of patients. It also ensures that any breach of confidentiality is handled appropriately.

Impermissible disclosure

An “impermissible” disclosure occurs when someone discloses medical information without permission. Examples include disclosing a patient’s name, address, telephone number, email address, Social Security number, date of birth, diagnosis, treatment, or payment status.

3rd Party Organization Disclosure of PHI

The importance of keeping your private information confidential can’t be overstated. If you discuss PHI with those who do not have the right to know, it is a direct violation of HIPAA and could result in fines or even worse – imprisonment!

The Enforcement Rule is a serious matter. If healthcare employees violate it, OCR can levy fines anywhere from $100 per instance to as much as half a million dollars for anyone’s mistake!

NOTE: Before any of a patient’s PHI can be disclosed to a third party for a purpose other than one expressly permitted by the HIPAA Privacy Rule, an authorization form must be obtained from them. Only the exact person who signed the authorization form can get information about a person. Thus, it is critical to review authorization documentation because patients can authorize the release of only certain types of information to specific parties.

To avoid this, keep all vital information confidential and only discuss it with authorized individuals behind closed doors. Similarly, delayed response to patients’ requests for a copy of their medical records can also be considered a violation.

Patients without authorization: a physician had accessed the medical information of celebrities and other public figures without authorization, leading to an investigation.

Response to the patient’s request for medical records needs to be made within 30 days. Failure to respond within 30 days is considered a violation.

HIPAA requires that PHI be shared only when “necessary” – that is, HIPAA-covered entity or business associates must make a reasonable effort to ensure that only the information required to complete a task or perform a job is accessed or shared with authorized persons or classes of individuals, which is another tricky requirement that can lead to violations.

Call Us To Learn How You Can Be HIPAA Compliant

In addition to the above violations, many other HIPAA violations aren’t as obvious. The most common HIPAA violation is the mishandling of patient records. Clinics should keep these records in locked rooms. If the clinician leaves the paper records in the room of a patient, it is a violation of HIPAA. In this case, the employee’s employer can be fined as well.

As a result, HIPAA-covered entities must conduct regular HIPAA compliance reviews to ensure that HIPAA violations are discovered and corrected before regulators become aware of them.

When potential risks and vulnerabilities are identified, covered entities and business associates must decide which measures to implement based on the size, complexity, and capabilities of the organizations, the existing measures already in place, and the cost of implementing additional measures concerning the likelihood of a data breach and the magnitude of the harm it would cause.

For more information please give us a call at (877) 771-2384

Contact Us Today and Check Out Our Blog!

HIPAA Do’s and Don’ts for Employees – WheelHouse IT

hipaa 2

HIPAA Do’s and Don’ts for Employees

HIPAA is the law that protects your privacy as a patient. Under HIPAA, health care plans and providers must limit who can see records of you to those with need-to-know information such as doctors, nurses, or a health professional if you are in order for it not to be compromised by outside parties like hackers trying to take advantage from within their organization’s network security measures.

What does HIPAA mean?

HIPAA is a law that protects your privacy as it pertains to health care. There are many restrictions on who can see any of the health plan records, and under this act, you also have the right in regards for getting copies from doctors if needed!

Protected health information: As a rule of thumb, HIPAA is a law that protects your privacy as well as the right to see medical records. It gives patients to access and ability control over their own medical information, which includes doctors’ notes or test results from treatments given at hospitals, health care organizations, and other health agencies.

Your right to protected health

The right under this act also includes getting copies of the patient files or to see their electronic health records if they need more information than what was written down on paper for treatment purposes.

Thus, the Health Insurance Portability Accountability Act (HIPAA) is a set of rules that outline what employees should and shouldn’t do with their personal health information.

Protection against privacy violation

The intention was to protect the privacy rights of those who have insurance coverage, but there are still some obligations included in this law that every employer must follow so they don’t run afoul or risk financial penalties from government agencies like CMS- Coast Care Services Incorporated. For years, there have been strict guidelines for protecting patient health information.

Those rules are complicated, but they’re not hard to follow. Here are a few tips to ensure your employees follow them.

Firstly, don’t share health information via text messages. You can send a message through an SMS network or through a healthcare text messaging platform, but you should be sure to shut it down afterward. In addition, you should avoid sharing the ePHI you receive with other people.

When it comes to HIPAA compliance, your employees are no exception. While it’s not required for employers to protect employee health information, your employees must follow them. Using social media to share employee health information may be a violation, as well as losing or stealing devices. In addition, even if your business is no longer operating, you can be held liable for violations. By following the HIPAA guidelines, you can be sure your employees are doing their job right and avoid common errors.

Another important rule of HIPAA is that you should only share PHI with employees who need it. When working with patient information, you should avoid using public locations to work. In addition, shared spaces can be unsafe for you.

They can have questionable WiFi and insufficient restroom facilities. Also, don’t discuss HIPAA-sensitive information with colleagues in public. If you have a need to discuss the HIPAA regulations with someone, try to limit the discussion to other employees.

HIPAA Security: There is really no need in being afraid because there isn’t anything worse than finding out that someone has accessed or obtained sensitive data like social security numbers. The good news? With some careful planning from both parties involved (the company AND employee), this type of scenario can easily be avoided.

Take note: The following list of HIPAA rules is not all-inclusive, but it provides a starting point for understanding how the complicated privacy laws work within your organization. Rules can vary depending on who you are and what type of company or business structure there are at this particular workplace – so be sure to ask if any clarification might suit both parties better!

There are a lot of rules and regulations when it comes to protecting your private information, but don’t worry – we have all the answers for you! 

HIPAA do’s and don’ts for employees

Some of the most typical ways in which HIPAA Rules are violated by workers are listed below.

Don’ts of HIPAA 

  1. Employees cannot use PHI for personal gain. This includes things like selling PHI, or giving it away to others.
  2. Employees cannot use PHI without permission. For example, they cannot use patient information to make decisions about hiring or firing people.
  3. Employees cannot use PHI to discriminate against anyone. For example, they shouldn’t use PHI to decide whether to hire someone based on race, gender, religion, etc.
  4. Employees cannot use PHI unless it is absolutely necessary. For example, they should not use PHI to determine insurance rates.


  1. Employees must use secure methods to store patient data. This means that all electronic files containing sensitive information should be stored offline, and encrypted when transmitted.
  2. Employees must take steps to prevent unauthorized access to PHI. They should never give out the login credentials and lock up any device containing PHI.
  3. Employees must keep records of how often they view their patient information files. They should keep track of who viewed the information, and when.
  4. Employees should only disclose PHI to those who need it. For example, doctors, nurses, and other healthcare employees are typically allowed to review medical records and patient health records alike. Unlike healthcare providers or healthcare workers, an HR person would not be authorized to see the same information as the healthcare operations.
  5. Employees must destroy PHI once it is no longer needed. This includes shredding documents containing private health information and wiping computers clean after removing PHI.
  6. Employees must notify patients about privacy breaches. It’s important to inform patients about any security breach, including the time and date it happened.
  7. Employees must train on HIPAA compliance. Training will help them know what to look for, and where to find the relevant information.
  8. Employees must report suspected violations to authorities. Reporting suspected violations help law enforcement agencies catch criminals.

How does HIPAA affect my company?

The criminal penalties for violating HIPAA rules are severe. The fine for each violation is $50 per day, multiplied by the number of days the violation occurred. Companies could also face criminal charges if they violate HIPAA rules.

The punishment for violating HIPAA rules can be severe. The fine is $50 per day, and if a company has committed criminal charges they could face prison time as well!

In addition to the HIPAA Do’s, organizations should also make sure to follow all applicable state and federal laws regarding health information. Similarly, organizations must make sure to conduct annual risk assessments to identify areas of non-compliance, which can result in criminal penalties and monetary penalties. These audits should be done by a compliance officer and should be done in a confidential setting. In some cases, organizations may be required to perform more than one.

For example, healthcare providers should attend annual HIPAA training and review their policies and procedures. It is also a good idea to check them every year with staff members, especially if major changes have occurred in the business. Employees should sign an acknowledgment of HIPAA policies. It is also important to document the dates that employees have received the training and abide by its rules.

NOTE: The most important HIPAA Do is to be sure to follow the regulations.

For health care providers, annual training is an essential step in ensuring compliance. In addition, policies and procedures should be reviewed with staff and updated as necessary. It is also important to ensure that all employees have signed acknowledgments of the policies and procedures. Lastly, all employees should sign an acknowledgment of HIPAA training and review policies and procedures on an ongoing basis. For all healthcare providers and the majority of healthcare employees, this step is critical in ensuring compliance with HIPAA requirements.

What can I do to protect myself from HIPAA violations?

First off, there are two main types of violations: administrative and technical.

Administrative violations occur when companies fail to follow the rules. These include failing to comply with the Privacy Rule (which requires companies to maintain adequate safeguards) and failing to properly dispose of PHI.

Technical violations happen when companies mishandle PHI in some way. Examples of these violations include storing PHI on insecure devices, sharing PHI outside of the organization, and using unsecured email accounts.

Second, you have to understand that HIPAA applies to the covered health care provider, regardless of size. So even though your small business may not have many employees, it still needs to abide by HIPAA regulations.

Third, you should familiarize yourself with the rules. You can get more information at www.hhs.gov/ocr/hipaa. If you’re unsure about something, contact your health plan administrator or compliance officer.

Compliance violations: To avoid potential violations, healthcare organizations and their business associates must ensure full compliance with the HIPAA Privacy, Security, and Breach Notifications Rules.

Contact us today!

If your business has been affected by HIPAA, contact us at www.wheelhouseit.com. We offer HIPAA training and consulting services to ensure that your organization complies with HIPAA regulations.