HIPAA FINES: 10 Common HIPAA Violations to Avoid

Updated on January 8, 2017
The US DHHS enforces the HIPAA Regualtions
The US DHHS enforces the HIPAA Regualtions | Source

Mistakes happen and it is normal for human beings to make errors. But when it comes to HIPAA regulations, making mistakes can cost you and your company millions of dollars in fines or settlement payments.

Many mistakes have been made in the handling of personal health information and some have just been plain silly. Learning from other peoples’ mistakes is the best way to avoid the pain that accompanies these errors.

The following are 10 common mistakes that have resulted in payment of large fines for HIPAA violation.

1. Telephone Messages to Unauthorized Parties

In this case, a hospital staff called a patient’s home and left a message with the daughter that revealed personal health information. This information contained details on her medical condition and the kind of treatment she was receiving. According to HIPAA regulations, confidential communications must be relayed to the patient through the mode that they specify. In this case, the hospital had called her home while she had specifically stated that any calls should be to her office number.

2. Sending Out More Information Than Is Required

A health provider caused the personal health information of a patient to be disclosed when it sent the entire patient’s record to an insurance company without authorisation. The mistake happened because the patient had used their own authorization form instead of the standard forms when giving out authorization. Though the mistake could have been blamed on the patient, it was the health provider’s responsibility to use the right document.

3. Failing to Provide Notice of Privacy

A mental institution failed to provide a notice of privacy to a patient that is required before a medical evaluation is carried out. Under HIPAA, patients must be given a notice of privacy that states their rights and obligation before any service is provided by a health institution. The notice describes how the personal health information that will be collected will be used and how the patient can access the information.

4. Insecurely Photocopying Patient Records

A health plan leased photocopying machines that were used to get copies of thousands of patient records. Upon returning the copiers to the leasing company, the health plan realized that they had inadvertently forgotten to erase the hard-drives. This left the records of thousands of people in the wrong hands and is a serious breach under the HIPAA rules.

HIPAA Complaints per Year

No. of Complaints
Yearly HIPAA Complaints received by the HHS. Source: HHS-OCR

5. Failure to Secure Online Records

A health provider failed to provide adequate protection to its web-based services thereby exposing the records of thousands of patients to unauthorized access. The electronic personal health information (ePHI) held in the databases of the web application was not secure and there was no documented assurance that the data could not be accessed by unauthorized parties.

6. Loss of Thumb Drive Containing Health Information

An employee left a thumb drive containing medical records of over 2000 records of personal health information in the car, and the thumb drive was stolen and never recovered. In addition to the loss, the institution did not notify the HHS in the prescribed time which is thirty days after such an incident.

Has your personal health information ever been illegally revealed?

See results

7. Releasing a Patient's Details to the Media

In response to allegations on the inadequacy of their operating procedures, a medical facility gave an interview to the media that touched on the personal information of a patient. The medical centre gave details regarding the kind of treatment that the patient had been given and lab results without her authorization.

8. Discussing Medical Information of a Patient in Public

A health centre was fined heavily for violating the HIPAA privacy policy when a practitioner discussed patient information within ear-shot of the public in a waiting room. This was a clear breach of the privacy policy because people who were not supposed to gain access to the personal health information obtained it through overhearing the conversation.

Did You Know?

The most common compliance issues that the HHS normally investigate yearly include:

  • Impermissible use of personal health information
  • Lack of proper safeguards to prevent loss of electronic data
  • Illegal disclosures of individually identifiable health information
  • Lack of safeguards against disclosures

9. Sending Patient Details to Employers Before the Patient Accesses Them

The health provider in this case sent all the patient information after an evaluation to a patient’s employer before he had been given access to them. Under HIPAA, patient authorization was required before the information was sent out to the employer and this resulted in a complaint that was resolved under a resolution agreement with the HHS-Office of Civil Rights (OCR).

10. Failure to Provide Access to Records

A covered entity under HIPAA failed to allow its employees access to their medical records which it held even after continued requests. The reason the employees wanted their medical records was because they were seeking the services of health providers other than the ones the company was using. This refusal to grant the employees access to their records resulted in the company being slapped with the first ever Civil Money Penalty (CMP) under HIPAA regulations.

11. Sending Personal Health Information to the Wrong Address

Due diligence must be taken to ensure that the correct address is used for sending personal health information. In this case the covered entity sent PHI to an address that was not the one that in the record and had to have it returned. Though the information was returned intact and was not seen by unauthorized parties, the action represented a serious violation under HIPAA. This is because the procedures for handling personal health information were not in place.

Definition of HIPAA Terms

Business Associate is any party that does not work under the Covered Entity but provides support services that puts them into contact with patient information either directly or indirectly

Criminal Penalties are the fines and jail terms given to parties who misuse personal health information

Covered Entities are individuals or corporations that provide services in health care. These services include treatment, payment or operations related to the health care industry

Security Rule is the section of the HIPAA regulations that is meant for the protection of health information that is stored and transmitted electronically

HIPAA Violations are the non-conformities with the HIPAA regulations that will result in criminal or monetary penalties

Protected Health Information: any individually identifiable health information that is collected by healthcare providers or personnel.

Due Diligence is the taking of all possible and foreseeable steps to prevent a HIPAA violation from occurring.

Business Associate Agreement: a document that defines the roles and responsibilities of the Covered Entities and their Business Associates and acts as an assurance that each party will act in a manner that provides the requisite safeguards against breach of patient rights in regards to information.

Individually Identifiable Health Information is information such as address, name, or social security number that can be used to identify a patient.


    0 of 8192 characters used
    Post Comment

    • profile image

      Ronald Vickery 7 months ago

      My pharmacist gave out my prescriptions to an ER docter who did not treat me. Is it a hippa violation.

    • profile image

      Anonymous 17 months ago

      I go to a small drs office for substabce abuse treatment and am prescribed suboxone. My doctor is often not in town and has his offixe manager/receptionist do my appointments and writw my scripts. She has no licensing at all to do so and also claims she has power to completely cut me off meds if she choses. Is this legal?

    • profile image

      Cindy32 18 months ago

      Is it a HIPPA violation when an emoloyee gives out patients personal information to an former employee?

    • profile image

      Jacknjill 18 months ago

      My manager let me know today that my workmens comp asst. Would like to speak with both of us in the morning? Not trusting my employer due to the constant hassarassment 4 weeks now! Date adjust date on fax, 3 different fonts on one " email " and twisted lines of conversation etc.

    • profile image

      nlbrown 3 years ago

      I was waiting in my bed in preop learning the pros and the cons of anesthesia from anesthesiologist, when I overheard my doctor speaking to a nurse about me, and the doctors whoever preformed procedure in the past did it wrong. Because it was not done under general anesthesia. he said if you can't use general anesthesia and he can't shave my head then he's not performing the procedure. This was the same area I waited in before they checked me into surgery. I was speaking to my anesthesiologist when we both over heard this. I told her I think my hipaa rights have just been violated.

    • gitachud profile image

      David Gitachu 4 years ago from Nairobi, Kenya

      Thanks toknowinfo--I appreciate the encouraging comment.

    • toknowinfo profile image

      toknowinfo 4 years ago

      Important information to help everyone be aware of the HIPAA Privacy rules. Thank you for putting this together. Well done and interesting. Voted up, useful, awesome, and interesting.

    • gitachud profile image

      David Gitachu 4 years ago from Nairobi, Kenya

      Glad to know that the information was useful. Thanks for the comment.

    • THarman7 profile image

      Terry Harman 4 years ago from Lacey Washington

      Interesting information! A lot of this I had no idea about. Thank you for sharing.