Top 10 HIPAA violations, and how to avoid them

By Liz Meszaros, MDLinx
Published October 9, 2018

Key Takeaways

As a practicing physician, the responsibility of ensuring Health Insurance Portability and Accountability Act (HIPAA) compliance—for yourself and all staff members—rests squarely on your shoulders. HIPAA violations can incur substantial fines for an offending practice, as well as sanctions and loss of license to practice medicine for individuals. Yet, violations are common and often inadvertent.

Established in 1996, HIPAA is legislation that provides for data privacy and security provisions for safeguarding medical information. Under the HIPAA Privacy Rule, health-care providers are required to protect and keep confidential all personal health information for patients, and are strictly regulated in the use or disclosure of such information without proper authorization from the patient. This information is referred to as PHI—or protected health information—and includes all individually identifiable health information, including demographic data, medical histories, test results, insurance information, and other information used to identify a patient or provide health-care services or health-care coverage.

To make compliance easier for you and your staff, here’s a list of 10 common HIPAA violations, and tips for avoiding them:

  1. Unsecured medical records: All documents with patient health information should be kept in a secure location at all times. This includes both physical and digital files. Keep the former locked in a filing cabinet, office, or desk and the latter encrypted and password-secure. Instruct staff to avoid leaving charts in exam rooms, for example.
  1. Lost or stolen devices: Store any devices—including laptops, desktops, tablets, smartphones, and other devices with any electronic patient information—in a secure location and make sure that all devices are password protected and encrypted. Mobile devices are the most vulnerable to loss or theft because of their size, and you can be fined in cases of patient data accessed through lost or stolen devices.
  1. Hacking: Hacking is always a real threat, and all physicians need to protect their medical practices proactively. Keep all antivirus software updated and active, use firewalls, and change passwords frequently. In addition, use complex and hard-to-guess passwords.
  1. Unencrypted data: If any device containing patient health information is lost or stolen, encryption offers added protection. While sometimes not required by HIPAA, encryption is nonetheless highly recommended for all files. Check state HIPAA regulations for laws requiring electronic protected health information (ePHI) and personally identifiable information (PII) to be encrypted.
  1. Lack of training: HIPAA requires that all employees who come in contact with PHI be trained on HIPAA requirements and safeguards, as well as on individual practice policies and procedures relating to the data.
  1. Employee sharing of PHI: Employees discussing patients with friends or coworkers is a HIPAA violation, and can invoke a heavy fine. If PHI is to be discussed, it should be done privately and only with appropriate staff. Make sure all staff members know this, and caution them to always be aware of their environment and avoid sharing patient information with friends and family.
  1. Illegal file access: Employees trying to access PHI that they are not authorized to access is a common HIPAA violation and can incur substantial fines for a practice. Speak with all members of the staff and train them in the proper procedures and consequences. Remind them that it is illegal to access patient files as a favor to friends or relatives, and/or out of curiosity or spite. Those who use or sell PHI will be subjected to fines and possible prison time.
  1. Improper record disposal: Proper disposal of all PHI is one of the most vital HIPAA requirements to enforce. Improper disposal of patient records could put patient health information in the hands of the wrong person, which constitutes a HIPAA violation. All staff members should understand that any medium that contains PHI, including paper and electronic files, should be shredded, destroyed, and wiped from hard drives. 
  1. Unauthorized information release: Improper release of PHI to unauthorized family members or other individuals is a HIPAA violation. So is the release of patient health information from public figures or celebrities by the media. Only dependents and those with Power of Attorney are allowed access to the information of a family member.
  1. Home computer access: Occasionally, physicians use their home computers or laptops to access patient records to catch up or follow-up on notes after hours. Leaving the information available—say on a screen that is accidentally left open—can result in unauthorized viewing of the PHI by family members. Be careful with data, use password protection, and keep screens out of sight.

HIPAA violations can carry fines as high as $50,000 per occurrence, and a maximum annual penalty of $1.5 million per violation. Some violations also carry criminal charges that could result in jail time.

Fines and charges are categorized into “Reasonable Cause,” which range from $100 to $50,000 per incident, with no jail time involved; and “Willful Neglect,” ranging from $10,000 to $50,000 for each incident and carrying the possibility of criminal charges.

It is imperative for clinicians and all staff to proactively work to ensure HIPAA compliance at all times. Effective and regular staff training is vital to avoid HIPAA violations. Train your staff to be careful with PHI, and share it only with those authorized to know. And remember to be vigilant yourself.


Brown M. What is the penalty for a HIPAA violation? TRUEVAULT. Accessed October 4, 2018.

Department of Health and Human Services. Health Information Privacy. Accessed October 9, 2018.

Johnson, J. Top 10 most common HIPAA violations. GroupOne Health Source. Accessed October 4, 2018.

Zabel L. 10 common HIPAA violations and preventative measures to keep your practice in compliance. Becker’s Hospital Review. Accessed October 4, 2018.

Share with emailShare to FacebookShare to LinkedInShare to Twitter