Common HIPAA Violations

10 Common HIPAA Violations

We’ve all heard the horror stories about million dollar fines for HIPAA violations. From the company that left 71 boxes of patient records sitting on a driveway in Pennsylvania to the hospital staff employees who snooped on Britney Spears’ medical records. Both of these HIPAA violations ended up costing these practices at least $800,000 each.

It’s enough to make physicians increasingly afraid of communicating with their patients. It is true that the OCR (Office of Civil Rights) is increasing their enforcement efforts, however, the good news is that very few private practices are doing anything wrong.

We’ve compiled a list of 10 common HIPAA violations to be investigated by the OCR. You can see for yourself that if you are careful to keep your patient’s Protected Health Information (PHI) private, there is no need to panic.

1. Protected Health Information Access

Rule: Except in certain circumstances, individuals have the right to review and obtain a copy of their protected health information in a covered entity’s designated record set. (Generally speaking, a designated record set refers to the entire set of information related to a specific individual’s medical history.)

Example: The OCR investigated a case where the mother of a minor child was denied access to her son’s medical record. The practice was following a state regulation that allowed for delivering only a summary of the records.

The OCR determined that the practice must get prior authorization in order to provide a summary instead of the full record. The OCR worked with the private practice to identify corrective action, required the practice to revise their internal policy and the mother was given a full copy of her son’s records.

The provider chose to follow State rather than Federal regulations when the HIPAA Privacy Rule states otherwise. When State laws contradict the Privacy Rule, then the Privacy Rule requirements will take precedence.

2. Authorization Requirements

Rule: A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.

Example: A health science center released protected health information to a patient’s employer without the correct written authorization.

OCR required that the center revise its patient authorization procedures. The center was also required to mitigate the harm done to the complainant.

At first glance, getting authorization before releasing information appears to be a straightforward rule. However, numerous nuances can occur. If you aren’t sure, err on the side of safety and get prior authorization.

3. Business Associate Agreements

Rule: A business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.

Example: A customer of a pharmacy chain complained that a legal firm associated with the pharmacy incorrectly released PHI. Although the OCR found that the PHI was not incorrectly released, they did find that there was not a proper business associate agreement in place. The violation was resolved when the pharmacy chain executed a legitimate agreement with the law firm.

As a covered entity it is your responsibility to ensure that any business associate is properly identified and that an official agreement is in place. The business associate agreement must “impose specified written safeguards” with respect to how the business associate may, or may not, use or disclose protected health information.

Request the Business Associate Agreement

4. Conditioning Compliance with the Privacy Rule

Rule: Patient’s rights under the Privacy Rule are not contingent on the patient’s other agreements with a covered entity.

Example: A physician’s practice asked patients to sign a “Consent and Mutual Agreement to Maintain Privacy” agreement in exchange for the physician adhering to the Privacy Rule. The agreement prohibited patients from disclosing information about the physician such as his skills, expertise and treatment methods.

The OCR required the physician to stop using this agreement. Additionally, the practice had to revise its Notice of Privacy Practices.

The reason. Every covered entity is obligated to adhere to a patient’s right to privacy as defined in the Privacy Rule irrespective of any other contracts between the practitioner and the patient.

5. Communications Issues

Rule: Health plans and covered health care providers must permit individuals to request an alternative means or location for receiving communications of protected health information by means other than those that the covered entity typically employs.

Example: An employee left information on a patient’s home phone voice mail. The patient had specifically asked that all communications be left on her mobile or work phone numbers.

To satisfy OCR, the hospital retrained an entire department on the Privacy Rules pertaining to confidential communications. They were also required to revise and republish their patient privacy policy to be certain that all patients were made explicitly aware of the policy.

In cases like this it is important to be aware that patients may not want to share worrisome health information with their families or work places. If a patient requests that messages be left at an alternative number, a physician’s office must try to comply.

6. Disclosures to Avert a Serious Threat to Health or Safety

Rule: Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat). Covered entities may also disclose to law enforcement.

Example: A patient was injured in an unusual sporting accident. The hospital released the patient’s PHI, including x-rays, condition and treatment, to local media outlets. The hospital believed they were justified in releasing the information to avoid a threat to the community’s health or safety. When OCR examined the circumstances they determined that the facts did not support the hospital’s disclosure of information.

To remedy this particular issue, OCR required that the hospital develop and implement procedures for handling issues that may pertain to public health and safety. They were also required to educate the staff on the new procedures.

We’ve all seen the media coverage when a prominent figure, a professional athlete for example, is injured. Did you ever wonder how the media was able to release the private health information of the injured person? This hospital’s mistake serves as a reminder to all covered entities to take special care before releasing information, even if you believe it is in the best interests of the community.

7. Impermissible Uses and Disclosures

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI.

Example: A hospital patient who was also a hospital employee stated that her PHI was improperly disclosed when her procedure on the operation room schedule was emailed to her supervisor.

OCR determined that while it is permissible to disclose operating room schedules with PHI via email; it was not permissible to disclose the PHI to a person who was not part of the patient/employee’s treatment team. The employee who disclosed the information was disciplined and retrained. Plus, the hospital did a thorough overhaul of their procedures so that only people with a “need to know” would be copied on operating room schedules.

It is important to understand that your employees have privacy rights too. When treating an employee take extra care to disclose PHI only to staff that is directly involved in the employee’s care.

8. Using the Minimum Necessary

Rule: A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.

Example: OCR uncovered that a dental practice was flagging the files of patients with a red sticker labeled AIDS. The sticker was on the outside cover of the file and was visible to anyone in the office, including other patients.

The dental practice immediately removed the offending stickers. OCR further required that the practice revise its policies and operating procedures to eliminate the issue. To ensure privacy the practice added necessary information to the inside cover of the patient’s file. When dealing with diseases that can carry a stigma, it’s important to be even more careful with PHI.

9. Notice

Rule: Each covered entity, with certain exceptions, must provide a notice of its privacy practices. The Privacy Rule requires that the notice contain certain elements.

Example: A mental health center did not provide the necessary notification to a father whose minor daughter was being treated at the center. When OCR notified the center of the complaint, the center acknowledged that they had not provided the necessary notice prior to the daughter being treated.

To resolve the issue the mental health center revised its intake  procedures so that written acknowledgement of receipt of the notice is received prior to a patient’s intake assessment.

This case was not just a matter of not having the necessary notice information, it was also necessary to adjust procedures such that privacy notices are delivered and acknowledged prior to treatment. This would be a good time to take a look at your current privacy policy to make certain that it is still current. Make certain that you have it posted in all locations as required and that you have all the required elements covered.

10. Safeguards

A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.

Example: An HMO delivered via mail, an explanation of benefits to the claimant’s family member who was not authorized to receive the information. When OCR examined this claim it uncovered a flaw in the HMO’s computer systems. The flaw put the records of approximately 2000 families at risk of being improperly disclosed.

OCR required that the flaws in the HMO systems be resolved, that the HMO monitor and track all transactions for a period of six months and that all corrupted patient data be corrected.

In looking at recent HIPAA violations, this type of mistake seems to be one of the most common. Although it mainly pertains to larger organizations it is important to establish safeguards for smaller practices too. Policies for handling paper PHI are especially important. Operational guidelines on how to handle correspondence, faxing and document disposal are paramount.


While big HIPAA violations are big news, due mostly to big fines, more than likely you have all the checks and balances in place to ensure your practice is operating within the guidelines. We shared these 10 issues with you to help you understand what the OCR is looking for.

So remember, there is no need to panic. Instead, take this information and use it to inform yourself of ways to make your practice more compliant.

Don’t forget to check out our instant appointment reminder demo!



This website uses cookies to ensure you get the best experience on our website. If you continue to use this site, you consent to our use of cookies. See our Privacy Policy.