What Is a HIPAA Violation: 26 Examples and How to Avoid Them

Find out what a HIPAA violation is, how they are reported, and how to prevent them from occurring. 

What Is a HIPAA Violation? 

As a healthcare provider, it is essential to do everything you can to avoid HIPAA violations. A single HIPAA violation can cost you up to $50,000, may result in loss of license, and, in rare cases, up to a year in prison. 

But you might be wondering, "What is a HIPAA violation?" A HIPAA violation is any action that violates the Health Insurance Portability and Accountability Act (HIPAA). This act protects the right to privacy regarding medical documentation. 

All providers must ensure that they comply with HIPAA regulations. Fortunately, there are ways to avoid making one of these costly errors. We'll review 26 of the most common HIPAA violation examples and what you can do to prevent them.

HIPAA Violation Examples

1. Employees Divulging Patient Information

Patient information needs to be kept private. Employees talking about patients to coworkers or friends is a HIPAA violation that can land you in a world of hurt. Employees can't share patient information with friends, family members, third-party vendors or organizations . Also, employees should only discuss patient information in private places and only with other medical personnel. There's no reason to share such information with anyone else.

2. Medical Records Falling into the Wrong Hands

Mishandling patient records is one of the most common HIPAA violations. This frequently occurs when a clinic uses paper records or charts. This can result in the clinician accidentally leaving the record in the patient's room, resulting in another patient seeing it. Patient records should always be kept in a locked space so they can't be stumbled upon by others.

3. Stolen Items

If an item containing PHI, such as a laptop or smartphone, is lost or stolen, that's also considered a HIPAA violation and can result in a hefty fine. To safeguard against this, any device containing PHI should be password protected. Be sure to lock down any device with PHI once you're done using it. A password doesn't do any good if the laptop is left open and logged in while you go do something else.

4. Lack of Proper Training

One of the best ways to avoid a HIPAA violation is to train your employees with the proper policy. You need to establish policies that ensure patients' information is protected and kept confidential at all times. Employees who are properly trained on how to avoid HIPAA violations are much less likely to make such mistakes.

However, mistakes will be made. When such a breach occurs, you need to have a plan on how to appropriately handle it. Trainings should be held regularly to make sure all employees, old and new, are well aware of your policy. Training all new employees on your policy and hold quarterly trainings to keep it fresh in all employees' minds.

5. Texting Private Information

While texting patient information may seem fast and effective, it also gives hackers the ability to get their information. You can't put a patient's name or information in a text. If you do and you're caught, it can be a 5k fine per violation per text. And legally, you're required to report those violations. There are programs that encrypt the information which allow it to be texted without concern. But the problem here is that it needs to be installed on the wireless device of both parties, and it rarely is.

A good electronic medical record (EMR) software will provide ways for clinicians to transfer such information efficiently and in accordance of HIPAA. Check with your EMR provider to see what can be done to make your communications compliant. If you're looking for a new EMR, we'll give you a free demo here. You can also learn more about the features of our EMR here.

6. Passing Patient Information Through Skype or Zoom.

Texting isn't the only common kind of communication that's a HIPAA violation. Skype is another way clinic employees frequently communicate about patients, but the same problems apply. Hackers can easily obtain that information. This is part of why it's so important to have a good EHR. If you're looking for a new EHR software, you learn what to look for here.

7. Discussing Information Over the Phone

Another potential HIPAA violation that's easily overlooked is discussing information over the phone. But it's vital. When you're discussing a patient's information on the phone, you need to be in a private place where others can't hear you. Talking about a patient in a public area where others can hear you is a HIPAA violation.

8. Posting on Social Media

You absolutely can not post photos of your patients on social media. It's a definite HIPAA violation even if no names or information is posted. People can easily identify the patient and the doctor, which can reveal unwanted information about their health. This should definitely be taught in policy training. No matter how harmless the intent, this can result in huge fines and is very easy to prove.

9. Employees Accessing Patient Files and Charts Without Authorization

This is a very common HIPAA violation and frankly, it doesn't matter the cause. Employees can only access patient information when they've been authorized to do so. It's illegal to do so even if it's purely out of curiosity or to help a friend.

10. Using PHI for Personal Gain

This should go without saying that using or selling PHI for personal gain is illegal. In addition to a large fine, it can also result in prison time. Again, make sure this is taught in your training to new employees and quarterly trainings.

11. Written Consent

Before PHI can ever be disclosed for purposes other than treatment, payment, or healthcare operations, you must get written consent. If you or one of your employees aren't sure, it's always best to err on the side of caution and get written consent.

12. Home Computers

It's not uncommon for doctors and nurses to use their own computers to access patient information after hours for notes. In itself, this isn't a HIPAA violation, but it can very easily turn into one if the screen is left on and a family member sees the patient's information. As we mentioned before, laptops, computers, and smartphones should always be powered down and password protected when you aren't using them. Again, make sure this is taught in your policy trainings.

13. Inquiries in Social Settings

It's very common for people to approach clinicians in a social situation asking about someone they know who is a patient. When you think about it, it makes perfect sense. Patients, their friends and family members have no reason to know HIPAA law. But that doesn't make revealing PHI in these settings HIPAA compliant. The best way to avoid this is by having a planned response for these types of situations that doesn't involve any personal information.

14. Poor Reporting Timing

No matter how well-trained or experienced a healthcare provider is, they can still have HIPAA violations from time to time. What's crucial is to make sure the issue is responded to and resolved as quickly as possible.

HHS requires notification with extensive documentation within 10 days of the data breach with a minimum of 15 detailed components that relate to the entity's internal investigation.

15. Releasing Records After Authorization Date

Patients have the ability to set an expiration for their authorization. Releasing confidential patient records after the date they set is a HIPAA violation. It's important to pay attention to the details.

16. Missing Patient Signature

Patients can often miss a signature when filling out HIPAA forms. However, if the forms aren't signed, they're invalid. And if they're invalid, releasing information is a HIPAA violation. The solution to this is simple and obvious. Make sure all HIPAA forms are signed.

17. Providing Security With Too Much Information

Security personnel in health clinics need to know the name and room number of patients so they can guide friends and family members to their rooms. That information is compliant. However, they don't need any information like treatment or diagnosis.

18. Nurses "Need to Know"

Nurses need access to private information for the patients he/she is responsible for in his/her unit. But giving a nurse PHI to patients in another nurse's unit is a violation of HIPAA. There's no need for them to have access to information for patients they aren't responsible for.

19. Regulations for "Minimum Necessary"

Health insurance companies typically need to know how many visits a patient has had to the clinic but nothing beyond that. They aren't allowed to see the patient's entire history. This can be easy to overlook as you already have to give the health insurance company some information about the patient and it may seem necessary to give more. But don't.

20. Sending Private Information Via Email

Another common HIPAA violation is sending PHI in an email. This is for the same reasons as the other communication issues we discussed. For those of us that aren't internet hackers, it might seem harmless. But hackers are able to easily access your email, making a patient's information vulnerable.

21. Media Interviews of Patients

From time to time, a member of the media may want to interview a patient for a story. This happens less frequently, but you can't allow the media to interview substance abuse patients. Doing so is a HIPAA violation. The reason is that it violates their privacy. Even if a patient is okay with it, we'd still recommend staying away from the idea completely.

22. Releasing Information Without Consent

This may seem obvious, nevertheless it happens. Releasing information about minors without parental consent is a HIPAA violation. Not only that, but it can cause issues with the parents or guardians and even result in a law suit.

23. Releasing The Wrong Patient's Information

This is where you have to be extra careful. Anybody can make a mistake, but that doesn't make it legal. If you or one of your coworkers releases information to the wrong patient, it's a HIPAA violation. This tends to happen when you have patients with the same or similar names. Make sure you train your staff to double check what information they're releasing.

24. Right to Revoke Clause

Any and every form your patients sign need to have a "right to revoke" clause. If they don't, they're not valid. And if they're invalid, any information you release to a third party organization violates HIPAA.

25. Releasing Information to an Undesignated Party

You're only allowed to give patient information to the exact person authorized on the form. Releasing it to anyone else violates HIPAA regulations.

26. Disposal of Records

When you dispose of a patient's information, it has to be unrecognizable. Shredding is a great way to dispose of paper records.

How Are HIPAA Violations Detected?

HIPAA violations are commonly detected through audits, complaints, and internal reports. The Office for Civil Rights (OCR) performs random audits and investigates complaints from patients and employees. Additionally, you can invest in an internal monitoring system to identify and report potential breaches, ensuring compliance with HIPAA regulations.

How to Avoid HIPAA Violations?

To conclude, HIPAA violations carry hefty fines and consequences. In order to avoid HIPAA violations, hold regular trainings on your policies and procedures, double check who you divulge information to, and password protect everything. As you can see, there are so many ways to violate HIPAA. Make sure you and your coworkers don't discuss patient information in a way that others could hear or obtain it.

Lastly, and maybe most importantly, get an EMR software that makes communication easier. If your current EMR does that, make sure your staff is trained on using it in accordance with HIPAA. If it doesn't, we would strongly consider getting an EMR that does.

How Can Alleva EMR Help

At Alleva EMR, we empower your clients to take charge of their medical records with our advanced EMR and CRM software. Our platform provides behavioral health specialists with a secure platform where they can organize all their medical documentation and optimize task management. Our platform is designed for the needs of providers who treat substance abuse and includes an addiction treatment planner that your clients can access after they leave your care. This allows you to easily share your client's treatment plan for substance abuse securely without worrying about HIPAA violations. 

What's The Difference Between EMR and EHR

Electronic medical records (EMR) are digital medical charts from a single provider. In contrast, an electronic health record (EHR) contains a client's entire medical history from multiple providers. Both are valuable tools. However, while digital medical records can provide easier access to essential information, they may expose you to more risk regarding HIPAA violations. When you choose Alleva EMR, we will make it easier to secure these records. 

Protect Your Practice From HIPAA Violation Fines Today

Don't let a HIPAA violation damage your reputation or your practice. Contact us today to learn how our record management solutions can help protect your business.