top of page
Writer's pictureShidonna Raven

The 10 Most Common HIPAA Violations You Should Avoid


Photo / Image Source: Unsplash,


HIPAA violations most often occur when covered entities, business associates, or members of either’s workforces fail to comply with the Privacy, Security, or Breach Notification Rules. There are many different types of HIPAA violations, and the ten most common HIPAA violations that have resulted in financial penalties are:

  • Snooping on Healthcare Records

  • Failure to Perform an Organization-Wide Risk Analysis

  • Failure to Manage Security Risks / Lack of a Risk Management Process

  • Denying Patients’ Access to Health Records/Exceeding Timescale for Providing Access

  • Failure to Enter into a HIPAA-Compliant Business Associate Agreement

  • Insufficient ePHI Access Controls

  • Failure to Use Encryption or an Equivalent Measure to Safeguard ePHI on Portable Devices

  • Exceeding the 60-Day Deadline for Issuing Breach Notifications

  • Impermissible Disclosures of Protected Health Information

  • Improper Disposal of PHI

In this article we outline how you can avoid these common HIPAA violations.

You can also use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full compliance. Use any form on this page to arrange for your copy of the checklist.


What are the 10 Most Common HIPAA Violations?

Listed below are 10 of the most common HIPAA violations, together with examples of HIPAA-covered entities and business associates that have been discovered to be in violation of HIPAA Rules.


These example cases have had to settle those violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In many cases, investigations have uncovered multiple HIPAA violations.


The settlements pursued by OCR are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules.


The settlement amounts reflect the seriousness of the violation, the length of time the violation has been allowed to persist, the number of violations identified, and the financial position of the covered entity/business associate.


1. Snooping on Healthcare Records

Accessing the health records of patients for reasons other than those permitted by the Privacy Rule is a violation of patient privacy. Snooping on healthcare records of family, friends, neighbors, co-workers, and celebrities is one of the most common HIPAA violations committed by employees. When discovered, these violations can result in termination of employment but could also result in criminal charges for the employee concerned. Financial penalties for healthcare organizations that have failed to prevent snooping are relatively uncommon, but they are possible – as the University of California Los Angeles Health System discovered.


University of California Los Angeles Health System was fined $865,000 for failing to restrict access to medical records. The healthcare provider was investigated following the discovery that a physician had acc essed the medical records of celebrities and other patients without authorization. Dr. Huping Zhou accessed the records of patients without authorization 323 times after learning that he would soon be dismissed.  Dr. Zhou became the first healthcare employee to be jailed for a HIPAA violation and was sentenced to four months in federal prison.


2. Failure to Perform an Organization-Wide Risk Analysis

The failure to perform an organization-wide risk analysis is one of the most common HIPAA violations to result in a financial penalty. If the risk analysis is not performed regularly, organizations will not be able to determine whether any vulnerabilities to the confidentiality, integrity, and availability of PHI exist. Risks are likely to remain unaddressed, leaving the door wide open for violations to occur.


HIPAA settlements with covered entities for the failure to conduct an organization-wide risk assessment include:


3. Failure to Manage Security Risks / Lack of a Risk Management Process

Performing a risk analysis is essential, but it is not just a checkbox item for compliance. Risks that are identified must then be subjected to a risk management process. They should be prioritized and addressed in a reasonable time frame. Knowing about risks to PHI and failing to address them is one of the most common HIPAA violations penalized by the Office for Civil Rights.

HIPAA settlements with covered entities for the failure to manage identified risks include:


4. Denying Patients Access to Health Records/Exceeding Timescale for Providing Access

The HIPAA Privacy Rule gives patients the right to access their medical records and obtain copies on request. This allows patients to check their records for errors and share them with other entities and individuals. Denying patients access to health records, overcharging for copies, or failing to provide records within 30 days is a violation of HIPAA. OCR made HIPAA Right of Access violations one of its key enforcement objectives in late 2019.


HIPAA settlements with covered entities for denying patients access to their records or unnecessary delays in providing access include:


5. Failure to Enter into a HIPAA-Compliant Business Associate Agreement

The failure to enter into a HIPAA-compliant business associate agreement with all vendors that are provided with or given access to PHI is another of the most common HIPAA violations. Even when business associate agreements are held for all vendors, they may not be HIPAA compliant, especially if they have not been revised after the Omnibus Final Rule.

Notable settlements for these common HIPAA violations include:


6. Insufficient ePHI Access Controls

The HIPAA Security Rule requires covered entities and their business associates to limit access to ePHI to authorized individuals. The failure to implement appropriate ePHI access controls is also one of the most common HIPAA violations and one that has attracted several financial penalties.


Financial penalties issued to covered entities for ePHI access control failures include:


7. Failure to Use Encryption or an Equivalent Measure to Safeguard ePHI on Portable Devices

One of the most effective methods of preventing data breaches is to encrypt PHI. Breaches of encrypted PHI are not reportable security incidents unless the key to decrypt data is also accessed. Encryption is not mandatory under HIPAA Rules, but it cannot be ignored. If the decision is taken not to use encryption, an alternative, equivalent security measure must be used in its place.


Recent settlements for the failure to safeguard PHI include:


8. Exceeding the 60-Day Deadline for Issuing Breach Notifications

The HIPAA Breach Notification Rule requires covered entities to issue notifications of breaches without unnecessary delay, and certainly no later than 60 days following the discovery of a data breach. Exceeding that time frame is one of the most common HIPAA violations, which has seen several recent penalties issued:


9. Impermissible Disclosures of Protected Health Information

Any disclosure of protected health information that is not permitted under the HIPAA Privacy Rule can attract a financial penalty. This violation category includes disclosing PHI to a patient’s employer for a purpose not permitted by the Privacy Rule, potential disclosures following the theft or loss of unencrypted laptop computers, careless handling of PHI, disclosing PHI unnecessarily, not adhering to the ‘minimum necessary’ standard, and disclosures of PHI after patient authorizations have expired.


Settlements for impermissible disclosures of PHI include:


10. Improper Disposal of PHI

When physical PHI and ePHI are no longer required and retention periods have expired, HIPAA Rules require the information to be securely and permanently destroyed. For paper records this could involve shredding or pulping and for ePHI, degaussing, securely wiping, or destroying the electronic devices on which the ePHI is stored to prevent impermissible disclosures.


Financial penalties issued to covered entities for improper disposal of PHI/ePHI include:


Non-Financial HIPAA Violation Examples

HIPAA violations do not always result in financial penalties. Many violations of HIPAA investigated by OCR are resolved by guidance, technical assistance, and/or a corrective action plan depending on the nature of the violation and the harm caused, the covered entity’s previous history of violations, and their willingness to cooperate with an OCR investigation.


Because violations resolved by guidance, technical assistance, and/or a corrective action plan rarely attract headlines, some of the work done by OCR to promote compliance with HIPAA can be overlooked. However, as of March 2022, OCR has investigated and resolved 29,478 cases without issuing a financial penalty. Non-financial HIPAA violation examples include:

  • A hospital was required to implement new minimum necessary policies for telephone messages after an employee left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan.

  • A mental health center was required to correct its process for providing Notices of Privacy Practices prior to an intake assessment after the center failed to provide the father of a minor patient with an NPP prior to a mental health evaluation.

  • A covered entity was required to withdraw a $100 “records review fee” charged to a patient for providing the patient with copies of his medical records. Under the Privacy Rule, covered entities are only allowed to charge a reasonable cost-based fee.

  • A private practice was required to implement policies on the verbal communication of PHI after a staff member discussed HIV testing procedures with a patient in the practice´s waiting room – thereby disclosing PHI to others in the waiting room.

  • A radiology practice was required to revise its processes for workers´ compensation disclosures after a patient´s imaging tests were sent to the patient´s employer to support a claim for which the employer´s program was not responsible for payment.

  • A health plan was required to correct a flaw in its computer system, review transactions for a six-month period, and correct corrupted patient information after PHI was included in an explanation of benefits letter mailed to an unauthorized family member.


Examples of HIPAA Violations by Healthcare Employees

Snooping on healthcare records is a fairly obvious HIPAA violation and one that all healthcare employees who have received HIPAA training should know is a violation of their employer’s policies and HIPAA Rules.


Other examples of HIPAA violations often come about as a result of misunderstandings about HIPAA requirements. While each of these common HIPAA violations affect far fewer numbers of patients than the above violations, they can still cause a significant amount of harm to the patient(s) involved and their employer. They can also result in disciplinary action against the employee responsible – including termination.


Listed below are some of the common HIPAA violations committed by healthcare employees. These common HIPAA violations should be covered as part of the HIPAA training given to employees to raise awareness of these frequent areas of noncompliance.


Emailing ePHI to Personal Email Accounts and Removing PHI from a Healthcare Facility

It can be difficult to find the time to complete all the necessary tasks within working hours and it can be tempting to take work home to complete. Removing protected health information from a healthcare facility places that information at risk of exposure. This is a common employee HIPAA violation and may even be routine practice at a healthcare facility that is understaffed. That does not mean it is an acceptable practice.


The same applies to emailing ePHI to personal email accounts. Regardless of the intentions, whether it is to get help with spreadsheets, complete work at home to get ahead for the next day, or to catch up on a backlog, it is a violation of HIPAA Rules.  Further, any emailing of ePHI to a personal email account could be considered theft – the repercussions of which could be far more severe than the termination of an employment contract.


Leaving Portable Electronic Devices and Paperwork Unattended

The HIPAA Security Rule requires PHI and ePHI to be secured at all times. If paperwork is left unattended it could be viewed by an unauthorized individual, be that a member of staff, patient, or visitor to the healthcare facility. Were that to happen it would be considered an impermissible disclosure of PHI.


Electronic devices that contain ePHI must similarly be secured at all times. Electronic devices are portable and valuable. Opportunistic thieves could easily steal an unattended device and gain access to ePHI. There have been many cases of healthcare employees removing unencrypted devices from healthcare facilities, only for them to be stolen from vehicles or homes. Theft can also easily occur within a healthcare facility if devices are not secured. Healthcare employees must ensure that their employer’s policies are followed, and HIPAA Rules are not violated by leaving devices and paperwork unattended.


Releasing Patient Information to an Unauthorized Individual

An authorization form must be obtained from a patient before any of their PHI can be disclosed to a third party for a purpose other than one expressly permitted by the HIPAA Privacy Rule. Disclosing PHI for purposes other than treatment, payment for healthcare, or healthcare operations (and limited other cases) is a HIPAA violation if authorization has not been received from the patient in advance.


Healthcare employees must ensure that, prior to disclosing PHI to a third party, authorization has been obtained from the patient, and information is not disclosed to any individual or company not included on the authorization form. Authorization forms are only valid if they have been signed by the patient or their nominated representative.


Releasing Patient Information Without Authorization

In a similar vein to the previous point, healthcare employees must also exercise caution about the types of information that are released to third parties, even if an authorization form has been received allowing a specific individual, company, or organization to receive PHI.


The authorization form should include what types of information have been authorized to be released. Any information not detailed on the authorization form must remain private and confidential and should not be shared. The disclosure of additional information would violate the HIPAA Privacy Rule.


Disclosures of PHI to Third Parties After the Expiry of an Authorization

All HIPAA authorization forms must include the names or classes of individuals who are being authorized to receive PHI, the types of PHI that will be disclosed, and the reasons for the disclosures. They must also include an expiry date for the authorization.


PHI must not be disclosed to any individual listed on the authorization form after the expiry date has passed, even if authorization has previously been given to that entity to receive PHI. A new authorization form is required before any further disclosure takes place. It should also be noted that an authorization form without an expiry date is not HIPAA compliant.


Impermissible Disclosures of Patient Health Records

The HIPAA Privacy Rule permits patients to obtain a copy of their health records on request or have their records provided to a nominated third party such as a personal representative or other individual. If not collected in person by the patient, the third party must have been given authorization by the patient – on a HIPAA authorization form – to receive the records before they can be released.


Prior to providing copies of patient health records, healthcare employees must verify the identity of the patient or the person collecting the records and must ensure records are only released to an individual authorized to receive them. Care must also be taken to ensure that the correct patient records are released.


Downloading PHI onto Unauthorized Devices

It can be difficult for healthcare IT departments to keep track of all devices that connect to the network, given how many different devices have network access. Ensuring those devices are secured can be an even bigger problem, yet this is a requirement for HIPAA compliance.


Employees need to be aware that there are privacy and security risks associated with downloading ePHI to unauthorized portable electronic devices. Not only does this increase the risk of the accidental disclosure of ePHI – in the event that the device is lost or stolen – it could also be viewed as theft and a HIPAA violation.


Providing Unauthorized Access to Medical Records

It is the responsibility of the covered entity to ensure that access to patient health information and medical records is only given to authorized individuals. This is achieved by implementing access controls via unique logins.


Employees have a responsibility to ensure that they do not give access to health information to co-workers who may not have the same access rights. The sharing of login credentials could not only result in an impermissible disclosure of ePHI but any actions taken by that employee would also be attributed to the individual whose login credentials were used to gain access.


Actual Examples of HIPAA Violations by Employees

HIPAA violations by employees are reportable incidents; however, OCR does not publish details of these violations on its breach portal unless the violations have affected 500 or more individuals. While HIPAA-regulated entities must issue individual notifications to the individuals affected, most do not issue a media notice. As such, the only incidents that tend to get publicity are those involving criminal violations of HIPAA that are pursued by the Department of Justice. However, in a few cases, employees’ contracts are terminated and examples of HIPAA violations by employees are brought to the attention of the outside world. The following is a small selection of those we have reported on:


In May 2013, Dianna Hereford was terminated from her position as a staff nurse at the Norton Audubon Hospital for improperly disclosing the condition of a patient with Hepatitis C. Hereford claimed she was wrongfully dismissed for an incidental disclosure; but her claim was dismissed by Jefferson Circuit Court and by Kentucky´s Court of Appeals when she appealed the decision.


In March 2017, an employee of New Jersey-based BioReference Laboratories was terminated from their position for failing to securely dispose of documents containing the PHI of 1,772 patients. Rather than following the company´s policy for disposing of PHI, which involved shredding the documents before disposing of them, the employee threw the documents into a dumpster.


Also in 2017, an employee of Lowell General Hospital in Massachusetts was fired for snooping on the healthcare records of 769 patients. As mentioned above, snooping on healthcare records is one of the most common HIPAA violations; but whereas it normally impacts patients who are known to the employee, this was an extreme example of a HIPAA violation by an employee.


In 2023, 5 former employees of Methodist Hospital pleaded guilty to unlawfully obtaining the information of patients who had been involved in motor vehicle accidents and disclosing that information to another individual, who sold the data to third parties such as personal injury attorneys and chiropractors. All five individuals were sentenced to probation and were fined for the HIPAA violations, with the fines ranging from $1,000 to $50,000.


Uncommon HIPAA Violations

The common HIPAA violations described above are frequently cited in OCR’s enforcement actions and are common root causes of data breaches; however, there are many types of HIPAA violations. The violations listed below are less common, and in some cases, harder to detect, and do not get reported so frequently.

 

Uncommon HIPAA Violations

Description

Filming Patients without Consent

Filming patients without their consent is a HIPAA violation if it results in the unauthorized disclosure of protected health information, compromising patient privacy and failing to adhere to HIPAA’s requirements for patient consent and privacy protection.

New York Presbyterian Hospital – $2,200,000 penalty for filming patients without consent.

Massachusetts General Hospital– $515,000 penalty for filming patients without consent.

Brigham and Women’s Hospital– $384,000 penalty for filming patients without consent.

Boston Medical Center – $100,000 penalty for filming patients without consent.

Impermissible Data Sharing During Medical Research

Inadequate protection of patient data during collaborative medical research, potentially exposing sensitive information. Researchers must ensure that data sharing adheres to strict privacy safeguards and obtain proper patient consent, when required, to avoid HIPAA violations. Effective safeguards are essential when conducting research that involves patient data that has not been de-identified to prevent unintended exposure.

Huntington Medical Research Institutes Discovers Two HIPAA Breaches

Hospital Researchers Jailed for Stealing and Selling Research Data to China

Non-Secure File Sharing

Sharing patient records through non-secure methods such as personal email accounts or unencrypted file-sharing services is a HIPAA violation. This can occur if proper policies and procedures are not in place and is often the result of insufficient training. Using secure (encrypted) communications tools is necessary to prevent these breaches, and there must be a business associate agreement in place with the provider of a communication platform.

11K Dental Patients’ PHI Uploaded to File Sharing Website

Exposure of Patient Data in Home-Based Care

Lack of adequate data security measures in home-based healthcare settings can lead to unauthorized access to patient records in private residences. Ensuring patient data privacy is essential, even in non-traditional care settings. Secure practices must be used for accessing and transmitting patient information.

Data Issue Arises From Home Diabetes Test

Data Exposure when Working from Home

Exposure of patient data to unauthorized individuals when working from home. When taking paperwork home or working on portable devices, PHI must be protected. While family members and other individuals in the same household may be trusted, they are not authorized to view any patient data. Care must be taken not to leave devices or paperwork unattended with patient data visible.

Potential PHI Disclosure After Employee Works from Home with Hospital Data

Medical Records Sent to Incorrect Patients

Sending medical records to incorrect patients is a HIPAA violation as it constitutes an unauthorized disclosure of protected health information (PHI), compromising patient privacy and failing to safeguard their confidential medical information.

Mailing Error Affects 19,570 Missouri Care Members

Mailing Correspondence with PHI Visible

When PHI is visible on the outside of an envelope or package, it can be easily seen by unauthorized individuals who handle or come into contact with the mail, leading to an unauthorized disclosure of sensitive health information. Patients have the right to expect that their health information will be kept private. Mailing correspondence with visible PHI breaches patient privacy and can cause distress and concern for patients who discover that their sensitive information is exposed. HIPAA mandates that appropriate safeguards, such as physical and administrative safeguards, be in place to protect PHI from unauthorized access or disclosure. Mailing correspondence with visible PHI demonstrates a lack of these safeguards.

Amida Care Mailing Potentially Revealed HIV Status of its Members

Third-Party Mailing Error Sees Aetna Plan Members’ HIV Status Disclosed

Unauthorized Photographs/Sharing of Photographs

Taking photographs of patients without authorization and unauthorized sharing of images is a HIPAA violation. It is not permitted to share photographs of patients with unauthorized individuals, even with other healthcare professionals if the file is shared for reasons other than for treatment, payment, or healthcare operations purposes.

Hospital Staff Shared Photographs of Patient’s Genital Injury

Scrub Nurse Fired for Photographing Employee-Patient’s Genitals

Workplace Sabotage

Deliberate sabotage of healthcare systems, data alteration, or introduction of malware by disgruntled employees is a HIPAA violation. Robust security measures must be implemented, employees should be monitored, and access to data and systems should be promptly revoked when employees are terminated or otherwise leave employment.

Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server

Providing Family Members, Friends, and Partners with Access to PHI

Allowing family members, friends, and partners to access a patient’s medical records without proper authorization or accessing records on their behalf and disclosing PHI. Individuals requesting access to patient data must be authorized to access that information, and PHI may only be disclosed to individuals authorized to receive it. Employees must be made aware of their responsibilities under HIPAA.

Criminal HIPAA Violation Case Sees Healthcare Worker Arraigned on 430 Counts

$853,000 Awarded to Patient Whose PHI Was Impermissibly Disclosed to Former Boyfriend

Data Exposure During Telehealth Visits

Inadequate protection of patient data when conducting telehealth visits. While OCR issued a Notice of Enforcement Discretion covering the good faith provision of telehealth services during the pandemic and allowed non-public-facing communication tools for telehealth, the period of enforcement discretion is over. Only HIPAA-compliant communications tools can be used, that encrypt or otherwise secure communications, and there must be a business associate agreement in place.

OCR’s COVID-19 Telehealth Enforcement Discretion Transition Period Ends

Unauthorized Use of Medical Illustrations

Unauthorized use of medical illustrations or images containing patient information in presentations, publications, or websites. Consent must be obtained before any images that have not been de-identified according to HIPAA standards can be used in presentations, publications, or for training purposes.

Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool

Radiology Groups Issue Warning About PHI Exposure in Online Medical Presentations

Medical Students Tracking Patients on EHRs

Medical students tracking former patients on EHRs to view outcomes and progress is a HIPAA violation unless patient consent has been obtained. Accessing the medical records of former patients on EHRs out of curiosity violates patient privacy.

Med Students Violating HIPAA by Tracking Patients on EHRs

Examples of Unintentional HIPAA Violations

Unintentional HIPAA violations can occur when healthcare professionals or organizations inadvertently access or disclose protected health information (PHI) without proper authorization, or when the HIPAA Rules are violated due to a lack of training.

Unintentional HIPAA Violation

Description of HIPAA Violation

Accidental Disclosure in Conversation

Healthcare professionals may inadvertently discuss patient information in public areas, like elevators or cafeterias, without realizing that others can overhear, potentially violating HIPAA confidentiality rules. Such disclosures may occur due to a lack of awareness or caution in maintaining patient privacy.


Careless Talk Sees University of Iowa Worker Fired for HIPAA Privacy Violation

Email Errors

Sending an email containing protected health information (PHI) to the wrong recipient due to an email address autocomplete mistake or selecting the incorrect recipient. This can lead to unauthorized access to sensitive patient data when the email recipient is not authorized to view the information.


Email Error Exposed the PHI of 8,000 Members of FirstCare Health Plans

Email Error Results in Impermissible Disclosure of the PHI of 900 Campbell County Health Patients

Email Error Impacts 6,500 Saliba’s Extended Care Pharmacy Patients

Dermatologist Email Error Exposes 14,910 Patients’ SSNs

University of Cincinnati Email Errors Result in 1,064-Patient Data Breach

Email Error Exposed the PHI of 8,000 Members of FirstCare Health Plans

Faxing Errors

Mistakenly sending a fax with PHI to the wrong fax number or faxing PHI when it may be viewed by unauthorized individuals. Such errors can result in unintended access to patient information by individuals who should not have access to it.


Even HHS Involvement Did Not Stop Months of Fax Privacy Breaches

Faxing Error Sees PHI Sent to Local Media Outlet

Protected Health Information Sent to Incorrect Fax Recipient Over Several Months

New York Hospital Sued for Disclosing Patient’s HIV Status to Employer

Lost or Stolen Devices

Losing electronic devices, such as laptops, smartphones, or tablets, that contain unencrypted patient data, or leaving them in areas where they can easily be stolen. If these devices are lost or stolen, it can inadvertently expose PHI to unauthorized individuals who may gain access to the device’s contents.


Lost Blackberry Device Results in $3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas

CardioNet Fined $2.5 Million for Laptop Theft and Data Breach

Lack of Encryption Leads to $3 Million HIPAA Penalty for New York Medical Center

Conn. OIG Reaches $90K Settlement with Hartford Hospital and BA Over 2012 Laptop Theft

Lifespan Laptop Theft Exposes ePHI of 20,000 Patients

Improper Disposal of Records

Incorrectly disposing of paper records, like medical charts or billing documents, by placing them in regular trash bins without shredding or using other secure methods to render PHI unreadable, or disposing of electronic devices without securely wiping them. This can lead to unauthorized individuals accessing patient data by retrieving discarded records.


Kaiser Pays $49 Million to Settle Improper Disposal Investigation

Improper Disposal of PHI Results in $300,640 HIPAA Penalty

Improper Disposal Nets Small Pharmacy $125K OCR HIPAA Penalty

HealthReach Community Health Centers Reports Improper Disposal Incident Affecting Almost 117,000 Patients

Improper Disposal Incident at Smith’s Food & Drug Affects Almost 58,000 Patients

Misdirected Mail

Access by Unauthorized Personnel

Allowing healthcare employees without the necessary access permissions to view or handle patient records, and failing to terminate access rights when employees are terminated or leave the company. This oversight can result in unintentional breaches of patient confidentiality.


Failure to Terminate Former Employee’s Access Rights Results in $202,400 HIPAA Fine for New Haven, CT

Failure to Terminate Former Employee’s PHI Access Costs Colorado Hospital $111,400

Pharma Sales Rep Pleads Guilty to Healthcare Fraud and Criminal HIPAA Violations

Survey Reveals Sharing EHR Passwords is Commonplace

Accessing PHI Out of Curiosity


Are Data Breaches HIPAA Violations?

Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare organizations are being targeted by cybercriminals and that it is not possible to implement impregnable security defenses.


Being HIPAA compliant is not about making sure that data breaches never happen. HIPAA compliance is about reducing risk to an appropriate and acceptable level. Just because an organization experiences a data breach, it does not mean the breach was the result of a HIPAA violation.


The OCR breach portal now reflects this more clearly. Many data breaches are investigated by OCR and are found not to involve any violations of HIPAA Rules. When this happens, the investigations are closed without any action being taken.


How are Common HIPAA Violations Discovered?

Common HIPAA violations can continue for many months, or even years before they are discovered. The longer they are allowed to persist, the greater the penalty will be when they are eventually discovered. It is important for HIPAA-covered entities to conduct regular HIPAA compliance reviews (this is required by the HIPAA law) to make sure common HIPAA violations are discovered and corrected before they are identified by regulators.

There are three main ways that common HIPAA violations are discovered:

  1. Investigations into a data breach by OCR (or state attorneys general)

  2. Investigations into complaints about covered entities and business associates

  3. HIPAA compliance audits


Even when a data breach does not involve a HIPAA violation, or a complaint proves to be unfounded, OCR may uncover unrelated HIPAA violations that could warrant a financial penalty.


Nueralink, Elon Musk
Shidonna Raven Garden & Cook, Soaring by Design


How can such practice impact your health? how? Why?








Share the wealth of health with your friends and family by sharing this article with 3 people today.


If this article was helpful to you, donate to the Shidonna Raven Garden and Cook E-Magazine Today. Thank you in advance.





Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page