HIPAA FINES: 10 Common HIPAA Violations to Avoid

Updated on January 8, 2017
The US DHHS enforces the HIPAA Regualtions
The US DHHS enforces the HIPAA Regualtions | Source

Mistakes happen and it is normal for human beings to make errors. But when it comes to HIPAA regulations, making mistakes can cost you and your company millions of dollars in fines or settlement payments.

Many mistakes have been made in the handling of personal health information and some have just been plain silly. Learning from other peoples’ mistakes is the best way to avoid the pain that accompanies these errors.

The following are 10 common mistakes that have resulted in payment of large fines for HIPAA violation.

1. Telephone Messages to Unauthorized Parties

In this case, a hospital staff called a patient’s home and left a message with the daughter that revealed personal health information. This information contained details on her medical condition and the kind of treatment she was receiving. According to HIPAA regulations, confidential communications must be relayed to the patient through the mode that they specify. In this case, the hospital had called her home while she had specifically stated that any calls should be to her office number.

2. Sending Out More Information Than Is Required

A health provider caused the personal health information of a patient to be disclosed when it sent the entire patient’s record to an insurance company without authorisation. The mistake happened because the patient had used their own authorization form instead of the standard forms when giving out authorization. Though the mistake could have been blamed on the patient, it was the health provider’s responsibility to use the right document.

3. Failing to Provide Notice of Privacy

A mental institution failed to provide a notice of privacy to a patient that is required before a medical evaluation is carried out. Under HIPAA, patients must be given a notice of privacy that states their rights and obligation before any service is provided by a health institution. The notice describes how the personal health information that will be collected will be used and how the patient can access the information.

4. Insecurely Photocopying Patient Records

A health plan leased photocopying machines that were used to get copies of thousands of patient records. Upon returning the copiers to the leasing company, the health plan realized that they had inadvertently forgotten to erase the hard-drives. This left the records of thousands of people in the wrong hands and is a serious breach under the HIPAA rules.

HIPAA Complaints per Year

No. of Complaints
Yearly HIPAA Complaints received by the HHS. Source: HHS-OCR

5. Failure to Secure Online Records

A health provider failed to provide adequate protection to its web-based services thereby exposing the records of thousands of patients to unauthorized access. The electronic personal health information (ePHI) held in the databases of the web application was not secure and there was no documented assurance that the data could not be accessed by unauthorized parties.

6. Loss of Thumb Drive Containing Health Information

An employee left a thumb drive containing medical records of over 2000 records of personal health information in the car, and the thumb drive was stolen and never recovered. In addition to the loss, the institution did not notify the HHS in the prescribed time which is thirty days after such an incident.

Has your personal health information ever been illegally revealed?

See results

7. Releasing a Patient's Details to the Media

In response to allegations on the inadequacy of their operating procedures, a medical facility gave an interview to the media that touched on the personal information of a patient. The medical centre gave details regarding the kind of treatment that the patient had been given and lab results without her authorization.

8. Discussing Medical Information of a Patient in Public

A health centre was fined heavily for violating the HIPAA privacy policy when a practitioner discussed patient information within ear-shot of the public in a waiting room. This was a clear breach of the privacy policy because people who were not supposed to gain access to the personal health information obtained it through overhearing the conversation.

Did You Know?

The most common compliance issues that the HHS normally investigate yearly include:

  • Impermissible use of personal health information
  • Lack of proper safeguards to prevent loss of electronic data
  • Illegal disclosures of individually identifiable health information
  • Lack of safeguards against disclosures

9. Sending Patient Details to Employers Before the Patient Accesses Them

The health provider in this case sent all the patient information after an evaluation to a patient’s employer before he had been given access to them. Under HIPAA, patient authorization was required before the information was sent out to the employer and this resulted in a complaint that was resolved under a resolution agreement with the HHS-Office of Civil Rights (OCR).

10. Failure to Provide Access to Records

A covered entity under HIPAA failed to allow its employees access to their medical records which it held even after continued requests. The reason the employees wanted their medical records was because they were seeking the services of health providers other than the ones the company was using. This refusal to grant the employees access to their records resulted in the company being slapped with the first ever Civil Money Penalty (CMP) under HIPAA regulations.

11. Sending Personal Health Information to the Wrong Address

Due diligence must be taken to ensure that the correct address is used for sending personal health information. In this case the covered entity sent PHI to an address that was not the one that in the record and had to have it returned. Though the information was returned intact and was not seen by unauthorized parties, the action represented a serious violation under HIPAA. This is because the procedures for handling personal health information were not in place.

Definition of HIPAA Terms

Business Associate is any party that does not work under the Covered Entity but provides support services that puts them into contact with patient information either directly or indirectly

Criminal Penalties are the fines and jail terms given to parties who misuse personal health information

Covered Entities are individuals or corporations that provide services in health care. These services include treatment, payment or operations related to the health care industry

Security Rule is the section of the HIPAA regulations that is meant for the protection of health information that is stored and transmitted electronically

HIPAA Violations are the non-conformities with the HIPAA regulations that will result in criminal or monetary penalties

Protected Health Information: any individually identifiable health information that is collected by healthcare providers or personnel.

Due Diligence is the taking of all possible and foreseeable steps to prevent a HIPAA violation from occurring.

Business Associate Agreement: a document that defines the roles and responsibilities of the Covered Entities and their Business Associates and acts as an assurance that each party will act in a manner that provides the requisite safeguards against breach of patient rights in regards to information.

Individually Identifiable Health Information is information such as address, name, or social security number that can be used to identify a patient.


    0 of 8192 characters used
    Post Comment

    • profile image

      Ronald Vickery 

      10 months ago

      My pharmacist gave out my prescriptions to an ER docter who did not treat me. Is it a hippa violation.

    • profile image


      20 months ago

      I go to a small drs office for substabce abuse treatment and am prescribed suboxone. My doctor is often not in town and has his offixe manager/receptionist do my appointments and writw my scripts. She has no licensing at all to do so and also claims she has power to completely cut me off meds if she choses. Is this legal?

    • profile image


      21 months ago

      Is it a HIPPA violation when an emoloyee gives out patients personal information to an former employee?

    • profile image


      21 months ago

      My manager let me know today that my workmens comp asst. Would like to speak with both of us in the morning? Not trusting my employer due to the constant hassarassment 4 weeks now! Date adjust date on fax, 3 different fonts on one " email " and twisted lines of conversation etc.

    • profile image


      3 years ago

      I was waiting in my bed in preop learning the pros and the cons of anesthesia from anesthesiologist, when I overheard my doctor speaking to a nurse about me, and the doctors whoever preformed procedure in the past did it wrong. Because it was not done under general anesthesia. he said if you can't use general anesthesia and he can't shave my head then he's not performing the procedure. This was the same area I waited in before they checked me into surgery. I was speaking to my anesthesiologist when we both over heard this. I told her I think my hipaa rights have just been violated.

    • gitachud profile imageAUTHOR

      David Gitachu 

      4 years ago from Nairobi, Kenya

      Thanks toknowinfo--I appreciate the encouraging comment.

    • toknowinfo profile image


      4 years ago

      Important information to help everyone be aware of the HIPAA Privacy rules. Thank you for putting this together. Well done and interesting. Voted up, useful, awesome, and interesting.

    • gitachud profile imageAUTHOR

      David Gitachu 

      4 years ago from Nairobi, Kenya

      Glad to know that the information was useful. Thanks for the comment.

    • THarman7 profile image

      Terry Harman 

      4 years ago from Lacey Washington

      Interesting information! A lot of this I had no idea about. Thank you for sharing.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, toughnickel.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://toughnickel.com/privacy-policy#gdpr

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)