Healthcare Compliance

What Are The Most Common HIPAA Violations?


HIPAA  (the Health Insurance Portability and Accountability Act of 1996) is a statute designed to protect the privacy of patient medical records. It is federal law, meaning that it applies in Colorado the same way that it does everywhere else in the country. HIPAA is complex, meaning that it is easy to commit a HIPAA law violation. Following is a description of some common HIPAA violations.

What Is a HIPAA Violation?

A concise HIPAA violation definition is nearly impossible to formulate. One of the reasons for this is that HIPAA became effective back in 1996, during the first few years of the so-called “information age”. Information is collected and stored very differently now than it was in 1996. This results in inevitable changes in the ways that enforcement authorities interpret HIPAA rules.

Organizations that HIPAA designates as “covered entities” must comply with HIPAA. These organizations include: 

  • Health plans,
  • Doctors,
  • Clinics,
  • Hospitals,
  • Nursing homes,
  • Pharmacies, and
  • Healthcare clearinghouses.

HIPAA compliance is not limited to covered entities. Vendors that handle protected health information are responsible as well. Even more problematic is the fact that covered entities are to some degree responsible for vendor compliance with HIPAA regulations. 

Vendors must also comply with the HIPAA security rule, which requires them to assess their information security systems and fix any shortcomings. Nevertheless, almost half of all covered entities have suffered a HIPAA violation due to a breach by a third-party vendor. The Denver HIPAA compliance lawyers at Sequoia Legal can help you minimize your legal risks in this regard. 

Doctor and Patient

How Are HIPAA Violations Discovered?

HIPAA security violations threaten the integrity of the entire HIPAA regulatory system. There are four principal ways that enforcement authorities discover a breach of HIPAA regulations:

  • The Colorado Attorney General starts an investigation;
  • The Office of Civil Rights of the federal Department of Human and Health Services starts an investigation; 
  • Either of the foregoing parties starts an investigation in response to a tip from a third party; or
  • The violator self-reports their own violation in compliance with HIPAA violation reporting requirements.

It is important to conduct regular audits and risk assessments. HIPAA Violations are typically ongoing, and the longer your organization remains in violation, the more serious the penalties the enforcement authorities will impose.

HIPAA Violation Examples

Because of the complexity of HIPAA regulations, HIPAA violation cases are far too common. Following are five of the most common HIPAA violation scenarios. 

Unsecured/Unencrypted Patient Records 

There are three legal reasons to access patient HIPAA records:

  • Medical treatment, 
  • Billing, and
  • Healthcare operation.

In past decades, the primary way of keeping patient records secure was simply to place them under physical lock and key. Now, however, almost all patient records exist in digital form,  protected by a password. Password protection alone isn't enough, however. You must also encrypt patient records. You could face HIPAA penalties if a hacker illegally accesses patient information because you neglected to implement proper security.

Lack of Employee Training 

HIPAA requires a covered entity to train its employee on how to handle HIPAA records. Even third-party vendors must instruct their employers on such issues. The HIPAA training requirement applies to anyone who handles confidential HIPAA records, including interns and volunteers. 

To ensure that there are no security breaches, you need to update your training every few months at the latest. Common HIPAA security rule violations. Include:

  • Improper handling of “phishing” emails;
  • Gossipping about confidential patient information; and
  • Leaving confidential records unsecured or inadequately secured.

These are only a few of many violations that inadequate training can cause.

Improper Disposal of PHI 

Shredding and burning paper records might be an effective way of disposing of PHI (Patient Health Information). Digital records are a different story, however. Simply hitting “delete” might not be enough to dispose of these records. You might even need to destroy the electronic devices that store confidential patient records.

Establish clear organizational standards for disposing of patient records. If these records fall into the wrong hands because you improperly disposed of them, your organization could face heavy fines and even court action.

Health Insurance

Lack of Organizational Risk Assessments

An organization subject to HIPAA regulations must perform periodic risk assessments to determine the existence of any vulnerabilities in the confidentiality of patient records and to repair vulnerabilities as soon as possible. 

The longer you go without performing a proper risk analysis, the greater your risk becomes, not only of a major security breach but also of burdensome or even catastrophic HIPAA penalties. Performing a risk assessment can be just as important to your organization’s future as performing tax and accounting audits of your organization's finances.

Loss of Devices 

Something as simple as losing a mobile phone (or someone stealing it) can cause a serious security breach. Think about the consequences of Edward Snowden’s possession of a few small laptops and the catastrophic consequences for US national security that this created. Your organization needs to create and enforce effective regulations concerning:

  • Where you may take a device;
  • How you must store a device; and
  • How you may use a device.

These regulations must be clear, and you must enforce them strictly.

HIPAA Violation Penalties

What are the penalties for HIPAA violations? That depends on what type of penalty is being assessed. There are two types of HIPAA violation penalties—civil and criminal. Enforcement authorities can impose civil HIPAA violation fines of as much as $50,000 per violation. When the number of violations is high, the aggregate fine can total much more than $50,000.

When the HIPAA violation is criminal‌, enforcement authorities classify it into one of three levels of severity:

  • Knowingly disclosing health information: A fine of up to $50,000 and jail time of up to one year.
  •  Obtaining or disclosing information using pretenses: A fine of up to $100,000 and imprisonment of one to five years.
  • Possession of confidential health care information with the intent to sell, transfer, or use the information for personal gain or to cause harm to another: A fine of up to $250,000 and imprisonment for up to 10 years.

Enforcement authorities can impose both civil and criminal penalties at the same time.

HIPPA Violations

Why You May Need an Attorney

HIPAA violation consequences can be devastating. If you find yourself the victim of a HIPAA violation, you should know that you cannot sue the violating entity on your own.  HIPAA law does not permit a private individual to file a HIPAA lawsuit. With the help of a HIPAA attorney, however, you can achieve justice. 

To report a violation, you must file a claim against a covered entity within 180 days of the violation. The contents of your report must include certain information, and you need to organize your report in a certain way to maximize its effectiveness. Your attorney can help you with this.  

  • As a patient, it is possible that you might have a right to sue under Colorado state law for healthcare privacy breaches that affect you. This is a legal gray area at present.
  • If you are a doctor charged with a HIPAA violation, you definitely need an attorney to defend you, to preserve your career and possibly even your freedom. The ultimate cost of HIPAA violation, even based on a false accusation, can far exceed the cost of an attorney.
  • No matter who you are, you are likely to need an attorney to understand what HIPAA regulations require and whether a violation actually occurred.

A HIPAA attorney can also help your company implement a comprehensive HIPAA compliance program.


Unintentionally violating a HIPAA regulation might be easier than you imagine. The consequences of doing so can be serious, especially in the case of multiple violations. At Sequoia Legal, we can help you avoid HIPAA violations before they happen, and we can help you deal with them if they happen. Call us at  (303) 476-2851 or contact us online to schedule a free consultation.

Hunter Boone

Hunter has been a part of the Sequoia Legal team since 2017.  Hunter specializes in general corporate matters, healthcare compliance, international trade laws, and anti-kickback regulations.

Recent Posts

View All →

Commercial & Corporate Law

Common Problems With Employment Contracts