What is considered a HIPAA Violation?

A paradigm-changing piece of legislation, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was formulated to make it easier to manage healthcare, eliminate wastage, prevent healthcare fraud, and see to it that staff members could carry with their existing healthcare coverage when they were between jobs.

There have been some considerable updates to HIPAA to better privacy security for patients and health plan members over the years which help to ensure healthcare data is safeguarded and the privacy of patients is safeguarded. Those changes would be known as the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.

A HIPAA violation is referred to as a failure to comply with any part of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164.

The combined text of all HIPAA regulations released by the Department of Health and Human Services Office for Civil Rights runs to 115 pages and includes a large number of provisions. There are hundreds of ways to violate HIPAA Rules, although the most commonly experienced HIPAA violations are:

  • Impermissibly sharing of protected health information (PHI)
  • Accessing PHI with adequate authorization
  • Failure to dispose of PHI properly
  • Not conducting a risk analysis
  • Failure to tackle the identified risks to the confidentiality, integrity, and availability of PHI
  • Failure to implement security measures to ensure the confidentiality, integrity, and availability of PHI
  • Not managing and monitoring PHI access logs
  • Failure to agree into a HIPAA-compliant business associate agreement with relevant vendors before allowing access to PHI
  • Failure to give patients requested copies of their PHI on request
  • Failure to implement access management controls to oversee who can view PHI
  • Failure to disable access rights to PHI when no longer needed
  • Allowing access to more PHI than is necessary for a particular task to be completed
  • Failure to have HIPAA and security awareness training for staff provided
  • Patient records being stolen
  • Unauthorized handing over of PHI to individuals not authorized to receive the data
  • Sharing of PHI on the Internet or via social media without permission
  • Mishandling and incorrect emailing of PHI
  • Sending PHI via SMS
  • Not encrypting PHI or using a different, equivalent measure to stop unauthorized access/disclosure
  • Failure to alert a person (or the Office for Civil Rights) of a security incident involving PHI within 60 days of the identification of a breach
  • Not documenting compliance efforts


Several actions can be considered HIPAA violations, including:

  1. Unauthorized Disclosure: Sharing PHI with individuals or entities without proper authorization or consent is a HIPAA violation. This includes discussions of patient information in public places, sharing PHI with unauthorized personnel, or disclosing PHI to individuals not involved in the patient’s care.
  2. Data Breaches: Any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or confidentiality is considered a HIPAA violation. This includes instances where PHI is stolen, lost, or accessed by unauthorized individuals due to inadequate security measures or negligence.
  3. Failure to Protect PHI: Covered entities are required to implement reasonable safeguards to protect PHI from unauthorized access, use, or disclosure. Failing to implement proper security measures, such as encryption, access controls, or employee training, can be considered a HIPAA violation.
  4. Failure to Provide Breach Notifications: In the event of a breach of unsecured PHI, covered entities are obligated to promptly notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media. Failure to provide timely breach notifications is considered a violation of HIPAA regulations.
  5. Inadequate Privacy Policies: Covered entities must have comprehensive privacy policies and procedures in place to protect PHI and ensure compliance with HIPAA requirements. Failing to establish and adhere to privacy policies can result in HIPAA violations.
  6. Improper Use of PHI: PHI should only be accessed, used, or disclosed for legitimate purposes, such as treatment, payment, or healthcare operations. Inappropriately accessing or using PHI for personal gain, curiosity, or any unauthorized reasons is a violation of HIPAA.
  7. Lack of Patient Consent: Covered entities must obtain proper patient consent or authorization before using or disclosing PHI for purposes not directly related to treatment, payment, or healthcare operations. Using PHI without obtaining valid consent is a HIPAA violation.

How are HIPAA Violations Found?

Many HIPAA violations are found by HIPAA-covered entities through internal review audits. Supervisors may identify employees who have violated HIPAA Rules and employees often self-report HIPAA violations and potential breaches by colleagues.

The HHS’ Office for Civil Rights is the chief enforcer of HIPAA Rules and looks into all complaints of HIPAA violations reported by healthcare workers, patients, and health plan holders. OCR also reviews all covered entities who report breaches of greater than 500 records and carries out investigations into certain smaller breaches. OCR also conducts periodic audits of HIPAA covered entities and business associates from time to time.

State attorneys general also have been allocated the power to look into breaches and investigations are often carried out due to complaints about potential HIPAA breaches and when reports of breaches of patient records are registered.

What Fines for Violations of HIPAA Rules are Possible?

The fines for breaches of HIPAA Rules can be very high. State attorneys general can apply fines up to a highest amount of $25,000 per breach category, per calendar year. OCR can apply fines of up to $1.5 million per violation category, per year. Multi-million-dollar fines can be – and have been – applied.

While healthcare providers, health plans, and business associates of covered entities can be be sanctioned with fines, there are also possible fines for people who breach HIPAA Rules and criminal penalties may be applicable. A prison term for breaching HIPAA is a possibility, with some breaches resulting in a prison term of up to 10 years.


In conclusion, a HIPAA violation refers to any unauthorized use, disclosure, or breach of protected health information (PHI) that contravenes the provisions set forth in the Health Insurance Portability and Accountability Act (HIPAA). It encompasses actions such as unauthorized disclosure, data breaches, failure to protect PHI, lack of breach notifications, inadequate privacy policies, improper use of PHI, and lack of patient consent. The consequences of HIPAA violations can range from financial penalties to criminal charges, underscoring the significance of complying with HIPAA regulations.

Protecting patient privacy and the security of PHI is paramount in maintaining trust and confidentiality within the healthcare system. Healthcare entities, covered entities, and business associates must implement robust safeguards and privacy policies to ensure the responsible handling of PHI. Compliance with HIPAA not only upholds patients’ rights but also fosters a culture of privacy, security, and accountability in the healthcare industry.

It is essential for healthcare professionals, organizations, and individuals to be aware of the potential HIPAA violations and the necessary measures to prevent them. By adhering to the standards and requirements outlined in HIPAA, healthcare entities can ensure the protection of PHI and uphold the privacy and security rights of patients.

Overall, the enforcement of HIPAA regulations plays a critical role in safeguarding PHI, promoting patient trust, and ensuring the responsible handling of sensitive health information. By respecting patient privacy and adhering to HIPAA guidelines, healthcare entities can contribute to a healthcare landscape that prioritizes the confidentiality, integrity, and security of individuals’ PHI.

About Elizabeth Hernandez
Elizabeth Hernandez is a reporter for ComplianceHome. Elizabeth Hernandez is a journalist with a focus on IT compliance and security. She combines her knowledge in information technology and a keen interest in cybersecurity to report on issues related to IT regulations and digital security. Elizabeth's work often touches on topics like GDPR, HIPAA, and SOC 2, exploring how these regulations affect businesses and individuals. Elizabeth emphasizes the significance compliance regulations in digital security and privacy. https://twitter.com/ElizabethHzone