The Top 5 Most Common HIPAA Violations

The Health Insurance Portability and Accountability Act (HIPAA) has been in place for more than 20 years, but unfortunately, HIPAA violations still happen in the healthcare industry.

The HIPAA audit, on the other hand, is a methodology that the OCR follows which evaluates the policies, controls, and processes that covered entities or business associates are deploying to comply with HIPAA and preserve PHI (Protected Health Information) and ePHI. This evaluation is performed to determine whether or not the covered entity or business associate complies with HIPAA.

Statistics show that between 2009 and 2024, the Office for Civil Rights of the Department of Health and Human Services (HHS) received reports of 4,419 healthcare data breaches that included 500 or more records each time. Because of these breaches, over 310 million healthcare records have been lost, stolen, exposed, or shared without permission. Most of the time, this could have been avoided if they had proper medical records storage services.

On the other hand, HIPAA breaches have resulted in more significant damage to the healthcare business, and ignorance is one of the primary factors contributing to these HIPAA violations.

In addition, typical breaches of HIPAA standards always have the potential to be extraordinarily devastating, especially on online HIPAA complaint forms, both to the practice that commits the violation and to the patients whose privacy is compromised as a result of the violation, regardless of how serious the violation is or how extensive it is.

In this article, we’ll talk about the top 5 reasons for HIPAA violations. However, before we start, ensuring HIPAA is followed by protecting PHI is a must, both from a business and a consumer’s point of view.


HIPAA Violation 1 ─ Failure to Conduct an Organization-wide Risk Analysis

For a business to become compliant with its security rules, the first step is to conduct a risk analysis. Risk analysis is an ongoing process that should give the organization a complete picture of the threats to the availability, integrity, and privacy of electronically protected health information (e-PHI).

However, risk assessment of a covered entity’s or its business associate’s healthcare organization is required under the HIPAA Security Rule. This rule applies to covered entities as well as business partners.

Additional infractions are committed directly due to the inability to effectively manage security risks and the absence of a strategy for doing so. Therefore, following the completion of the study, a risk management approach should be implemented to address any risks discovered.

In addition, vulnerabilities and threats should be prioritized and handled within a reasonable amount of time.

For not doing the risk assessment, doctors have been fined anywhere from $7 million to $100,000. However, this is due to the fact that the systems in use require improved security.

HIPAA Violation 2 ─ Lack of Encryption

End-to-end encryption (E2EE) is strongly recommended by the HIPAA encryption rules for both covered organizations and business associates.

End-to-end encryption is a way to encrypt data transfers from start to finish, making sure that only the sender and the intended recipient can read or access the data.

On the other hand, protected health information (PHI) and electronically protected health information (ePHI) of patients are required to be encrypted under HIPAA while the data is “at rest,” which means the data is kept on a disk, USB drive, or other similar devices.

In other words, it is not against HIPAA to send protected health information (PHI) through an email that is not encrypted. However, covered entities and business associates must take reasonable steps to ensure that patients understand and agree that sending PHI through an unsecured email is dangerous.

The infringement in question presents several challenges for health organizations. On the one hand, the HIPAA Rules do not make encryption mandatory. However, if the organization decides not to utilize encryption, then another kind of security that is at least as effective as encryption must be used in its place.

On other occasions, this breach results directly from a human mistake. For example, the absence of encryption may create a problem in situations such as when patients have access to paper charts and files left in exam rooms or when a staff member downloads patient information onto a mobile device that is not password protected.

Research indicates that the University of Rochester Medical Center (URMC) was fined $3 million by the Health Insurance Portability and Accountability Act for failing to encrypt mobile devices and committing other HIPAA breaches.

HIPAA Violation 3 ─ Lack of Employee Education and Training

Failing to provide HIPAA training to workers is a common cause of healthcare privacy breaches. Most of the time, these breaches happen because employees are careless or don’t understand the HIPAA Rules.

As a result, healthcare institutions should ensure that their employees are well-trained on HIPAA, know how protected health information (PHI) can be used and shared, and always keep ePHI safe. In addition, monthly training sessions for refresher purposes should be conducted to guarantee that no one forgets the HIPAA Rules.

Employees are also required to assume responsibility for HIPAA compliance and assist in preventing HIPAA breaches. Even if you break one of the HIPAA Rules in a small way, you could face serious consequences, and organizations can be subject to hefty financial penalties.

As was said previously, HIPAA violations may harm patients and damage the reputations of the companies that committed the violations.

Suppose an employee is found to have broken HIPAA rules in any way, even unintentionally. In that case, they risk losing their job, and in more serious circumstances, they run the risk of facing criminal charges. So, to keep your practice safe, you must be proactive and teach your staff everything they need to know about HIPAA compliance.

HIPAA Violation 4 ─ Improper Disposal of Protected Health Information (PHI)

The secure disposal of protected health information (PHI) is a prerequisite for HIPAA compliance. If this step is skipped, there is a greater chance that sensitive information about patients will be shared, which puts patients at greater risk.

When disposing of protected health information, staff should always dispose of patient records correctly. Just throwing away data isn’t enough, and it makes it easy for people who shouldn’t have access to protected health information (PHI) to get it.

Also, if patient records and protected health information were saved electronically in a safe place, it is very important to remember to delete them from the hard drives of any local and portable devices.

In other words, the privacy of protected health information needs to be protected by taking the right administrative, technical, and physical steps.

On the other hand, covered entities must take reasonable precautions to protect health information and limit incidental uses or disclosures.

When protected health information is no longer required by law to be kept, it must be disposed of safely. This means the data must be made unreadable, unintelligible, or otherwise impossible to put back together before it is disposed of.

Proper staff training guarantees that protected health information (PHI) is safeguarded and secure from when it is first created until it is finally discarded.


HIPAA Violation 5 ─ Lack of Patient Access to Their Protected Health Information

Because protected health information (PHI) includes sensitive information like a patient’s social security number, date of birth, and address, patients need to review and confirm this information to avoid mistakes that could cause serious harm.

In addition, when hospitals refuse a patient’s request for access to their protected health information (PHI), the patient is prevented from gaining access to their medical history, which might impact the care they get in the future.

The HIPAA Privacy Rule allows patients to get on-demand access to their medical records. However, patients must be able to review their medical records for accuracy and obtain copies of those data as required.

Many organizations could get fined if they don’t give patients copies of their medical records within 30 days of being asked for them.

Frequently Asked Questions


What Are the Basics of HIPAA?

The main goals of HIPAA are to protect the privacy, accuracy, and availability of all electronically protected health information (e-PHI) that a covered entity creates, receives, keeps, or sends. Also, to be able to spot threats to the security or integrity of health information and defend against them.

What is HIPAA and How Does It Work?

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule establishes national standards for the protection of people’s medical records and other personally identifiable health information. It gives patients more control over their medical information and sets rules for how medical files can be used and who can see them.


The Health Insurance Portability and Accountability Act of 1996 requires healthcare professionals and organizations to protect their patients’ privacy.

The HIPAA Privacy Rule is a set of federal rules that must be followed to keep health information about patients safe.

This article showed the top 5 most frequent HIPAA breaches; nevertheless, the most common violation is when hospitals fail to follow up with patients who have requested their medical records.

Thank you for taking the time to read this article. We hope you found it helpful and now understand the most common HIPAA violations better.

Remember to always take steps to safeguard your patient’s protected health information (PHI) and remain current on the most recent HIPAA regulations.