7 Most Common HIPAA Violations That Can Cost Your Practice

7 Most Common HIPAA Violations That Can Cost Your Practice


Published: February 17th, 2016

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established to set national standards for the confidentiality, security, and transmissibility of personal health information. Violations of this Act can result in substantial fines to a practice ranging from $100 to $1.5 million. Healthcare providers can also be at risk for sanctions or loss of license. In order to reduce the risk of penalties or fines, medical practices should ensure their policies and procedures are regularly updated and employees receive on-going compliance training. Below are some of the most common HIPAA privacy violations and measures that can be taken to protect patient health information.

1.    Database Breaches-

In 2015, data breaches cost the healthcare industry nearly 6 billion, with the average economic impact per organization totaling $2,134,800. Medical identity theft has more than tripled over the past five years, with almost a third of the US population having been affected. It can happen to any size organization or practice which is why it is important to take the appropriate security measures, such as firewalls, encryption, and password-restricted access to protect PHI.

2.    Lost or Stolen Devices-

Another very common HIPAA violation is the theft of PHI through lost or stolen laptops, desktops, smartphones, and other devices that contain patient information. Mobile devices are the most vulnerable to theft because of their size; therefore, the necessary safeguards should be put into place such as password protected authorization and encryption to access patient-specific information.

3.    Employees illegally accessing patient files-

Employees accessing patient information they are not authorized to is another very common HIPAA violation. Whether it is out of curiosity, spite, or as a favor for a relative or friend, this is illegal and can cost a practice substantially. In addition, individuals that use or sell PHI for personal gain can be subject to fines and even prison time.

4.  Lack of training-

One of the most common reasons for a HIPAA violation is employees that are not familiar with HIPAA regulations. Often only managers, administration and nurses receive training even though HIPAA law requires all employees, volunteers, interns and anyone with access to patient information to be trained.  Compliance training is one of the most proactive and easiest ways to avoid a violation.

5. Improper disposal of personal health information-

Personal health information should always be shredded or destroyed. It is also important to ensure the photocopier is not saving copies to its hard drive. If the copier is returned, sold, or discarded, without being properly wiped clean, this could also result in a HIPAA violation. Establishing and posting policies and procedures to make sure personal health information is locked, secured and disposed of appropriately will help to remind employees and prevent a potential violation.

6. Employees disclosing patient information –

Employees’ gossiping about patients to friends or coworkers is another very common HIPAA violation that can cost a practice a significant fine. Employees must be mindful of their environment, restrict conversations regarding patients to private places, and avoid sharing any patient information with friends and family.

7. Authorization Requirements-

A written authorization is required for the use or disclosure of any individual’s personal health information that is not used for treatment, payment, healthcare operations or permitted by the Privacy Rule.  If an employee is not sure, it is always best to get prior authorization before releasing any information.

The privacy and security of patient health information should be a priority for all healthcare providers and professionals.   Most violations can be easily be prevented by implementing HIPAA regulations into practice policies and procedures and ensuring that all individuals with access to patient information receive the proper training.