Kyle Morris

Senior Compliance Success Manager


What is a HIPAA Violation? Everything You Need to Know

Summary: Here’s everything you need to know about a HIPAA violation, how to avoid them and what to do when you suspect there’s been one. 

Right, so you’re all clued-up about what HIPAA compliance means and who needs to be HIPAA compliant, and it looks as if your organization is subject to the Privacy Rule. What does that mean? You’re one of the many organizations obligated by law to be HIPAA compliant. Sure, HIPAA stipulates its purpose (to protect PHI) and what it expects from organizations – but when does a gray area become a full-on violation? And more importantly, what happens if an organization violates a regulation or falls prey to a data breach? 

Here’s everything you need to know about a HIPAA violation, how to avoid them and what to do when you suspect there’s been one. 

HIPAA compliance catch-up

Before getting into the different types of violations, let’s take a minute for a quick compliance catch-up, so you’re back in the know with HIPAA compliance lingo. 

Let’s be real; when there’s mention of fines and criminal charges, you don’t want anything to be lost in translation. Here are the three key things you need to know about HIPAA when it comes to violations:

HIPAA is a federal law

HIPAA is a federal law governed by The Department of Health and Human Services (HHS). Its primary goal is not just to protect protected health information (PHI) but also to ensure patient rights concerning their health information. Four rules dictate HIPAA compliance, the core one being The Privacy Rule. The additional rules work to better implement the requirements expected from the Privacy rule. 

The Privacy Rule

The Privacy Rule establishes the quintessential standard for protecting PHI and electronic PHI (e-PHI). Anything contradicting the requirements and objectives of this rule classifies it as a breach or violation of HIPAA. The Privacy Rule also dictates who is required by law to be HIPAA compliant, which are Covered Entities (CE) and Business Associates (BA).

The HIPAA police

The Office for Civil Rights (OCR) is appointed by the HHS to enforce HIPAA regulations. They are also responsible for all investigations as well as routine support regarding any new issues affecting healthcare.

Types of HIPAA violations

We hate to be the bearer of bad news, but when it comes to HIPAA violations, it’s almost always better to assume the worst at first than to keep it too casual. Each HIPAA violation or data breach is taken extremely seriously. Even though there’s a classification system for HIPAA violations – it’s best to take action as soon as possible. 

Still, HIPAA violations (or the possibility of them) cause countless sleepless nights. Let’s clear up the facts, so there’s no need to chase hypotheticals. 

Firstly, HIPAA classifies all violations into two overarching categories; minor and major breaches. Minor breaches typically involve fewer individuals and may have less impact, whereas major breaches, affecting more people, usually have significant consequences and often require broader notification efforts, including to the media.

Within the HIPAA compliance umbrella, four distinct levels structure all violations and their adjacent penalties. 

Level OneThe CE is HIPAA compliant and absolutely not aware of the breach. The breach could also not have been reasonably avoided. 
Level TwoThe CE is aware of the breach but unable to prevent it even with the correct controls and reasonable precautions. 
Level ThreeA breach occurred due to deliberate neglect of HIPAA standards. However, the organization immediately attempted to correct the violation (within 30 days).
Level FourA willful neglect of HIPAA standards, resulting in a data breach. However, in this case, the violation went uncorrected for an extended period (not within 30 days). 

The OCR will determine the severity of each breach after a thorough internal review and analysis. However, you must take action immediately if your organization suspects a potential violation or breach. Here’s how to spot the most common HIPAA violations. 

Most common HIPAA violations

For violations with such severe consequences, it sure is uncomfortably common. There is a large misconception that HIPAA violations are reserved for large organizations that fall prey to cyber-attacks. Unfortunately, violations aren’t always isolated incidents and often hint toward a deeper underlying issue within an organization’s security culture. To better prepare for HIPAA compliance, here’s a look at a few violations that aren’t uncommon. 

Unauthorized devices

In a modern-day work environment, employees often juggle multiple devices. However, do IT departments keep track of each device that connects to their network? One common HIPAA violation is the use of unauthorized devices for storing or accessing e-PHI. HIPAA compliance requires all devices that obtain, store or transfer e-PHI to be protected by specific security controls stipulated in HIPAA’s Security Rule. In addition to downloading e-PHI onto an unauthorized device, it also increases the risk of theft, which is also considered contradictory to The Privacy Rule. 

Incorrect record disposal

HIPAA regulations clearly stipulate the correct record disposal of PHI. Organizations must act accordingly to reduce the risk of accidental violations and ensure that the process leaves no room for error. As this can be quite the task for larger organizations, covered entities frequently request the help of third parties (business associates) to properly dispose of the PHI and confirm compliance. 

Correct record disposal to ensure compliance means: 

  • Any physical or paper records must be rendered completely unreadable. Methods include burning, shredding, or pulverizing all paper records. 
  • Prescription bottles that contain labels that include PHI must be destroyed. Methods usually include involving a third party (BA). 
  • Any electronic PHI must be wiped entirely from the system. This goes beyond simply pressing ‘delete.’ Businesses must make use of specific software that removes all data. Alternatively, the data can be physically destroyed by pulverizing the device.

Sharing sensitive information

In this case, it’s easier said and done. If any information is disclosed for reasons outside of those stipulated in The Privacy Rule, it’s a direct HIPAA violation. This isn’t limited to external parties only and includes sharing PHI with colleagues without the patient’s formal consent. Although this offense seems like an obvious one to stay clear of, it’s still one of the most common violations. If this occurs, employees face termination of employment and possible criminal charges. 

Failure to perform frequent risk assessments

It’s a common misconception that violations only occur when there’s been a breach in PHI. However, there are various other law violations when it comes to ‘willful neglect.’ One of these violations is a failure to prove that an organization performed annual risk assessments. Prior to a breach or violation, HIPAA requires mandatory company-wide risk assessments. This demonstrates due diligence and proper risk mitigation to ensure updated and regular compliance. 

PHI disclosures to third parties after the expiration of authorization

Even if previous authorization was given, it’s crucial for organizations to track and manage these authorizations meticulously, ensuring no PHI is shared beyond its expiry. In addition, to validate an authorization form, it needs to disclose the names of individuals authorized to receive the PHI, the types of PHI that will be disclosed, and the reason for disclosure. Forms must also include an expiration date. An authorization form without an expiration date is not HIPAA compliant. 

Lost or stolen records

HIPAA’s Security Rule clearly dictates standard security controls and safeguards that need to be in place to ensure minimum risk of unauthorized individuals accessing PHI due to lost or stolen records. If records go missing or devices are stolen, and organizations have not implemented these safeguards, it constitutes as a breach or violation. 

The Breach Notification Rule

So, there’s been a HIPAA violation or a data breach – now what? According to HIPAA’s Breach Notification Rule (BNR), organizations must follow a mandatory process in the case of a violation. The BNR applies to both covered entities and business associates and requires them to notify all affected individuals and, in some cases, the media in their jurisdiction. Business associates must notify the covered entities if they violate HIPAA compliance. 

Staff members must notify their supervisor or a HIPAA privacy officer if they suspect a HIPAA violation. Next, the HPO will investigate the potential data breach and whether or not it is a reportable offense. It’s important to keep in mind that OCR investigations do not necessarily mean there is a confirmed breach. In 2022, there were 13,820 cases where OCR investigations found no violation had occurred. However, If it is a confirmed violation and organizations fail to notify affected individuals and the OCR, it can result in critical financial penalties. 

Speaking of penalties, what are the legal and financial consequences of a HIPAA violation? 

A HIPAA violation

HIPAA violation financial and criminal penalties

It may seem unfair to fine an accidental violation with the same intensity as purposeful neglect or malicious intent. Fortunately, The OCR agrees, which is why penalties and fines are often case-specific and investigate the intent behind the violation. However, fines are still hefty and ever-present. As of April 2022, OCR settled or imposed a civil money penalty in 110 cases, totaling $131,563,132.00.

Accidental violations where organizations are compliant are less severe than proven intentional violations. The most severe violation that proves intent to sell or use PHI or e-PHI for personal gain can result in a maximum fine of $250,000 or up to 10 years imprisonment. 

However, under normal circumstances, penalties are determined based on the four levels of violations mentioned earlier. 

Financial penalties 

TypeViolationFinancial Penalty
Level oneCould not have known about the violation, or prevented it even with due diligence.Minimum penalty (per violation): $127
Level twoViolation was not due to ‘willful neglect’, although the organization could have prevented it. Minimum penalty (per violation): $1,280
Level threeThere was willful neglect, but the organization corrected the violation within 30 days. Minimum penalty (per violation): $12,794
Level fourThere was willful neglect, but the organization did not correct the violation within 30 days. Minimum penalty (per violation): $63,973

Criminal charges

Criminal penalties differ from financial penalties due to their severity. However, they also include hefty fines on top of legal action.  If CEs or BAs knowingly misuse or unlawfully obtain PHI, they are held criminally liable. Criminal penalties include 

Incorrect disclosure of PHI

HIPAA does not accept ignorance as a reasonable excuse for violating its standard, as the responsibility of educating an organization and its employees falls on the organization. In the case of accidental and wrongful disclosure of PHI, penalties are still grueling. 

Maximum penalty: Up to $50,000, up to one year in prison, or both.

Disclosing PHI under false pretenses

This includes obtaining PHI under the false pretense that you are an authorized individual and disclosing it without permission. 

Maximum penalty: Up to $100,000, up to five years of prison time, or both.

Malicious intent

This is the most severe case and is seen as a criminal offense if a CE or BA sell, transfer, or use the data for personal gain or commercial advantage. 

Maximum penalty: Up to $250,000, ten years of prison time, or both. 

The HIPAA “Wall of Shame”

Unfortunately, organizations can’t stay under the radar regarding HIPAA violations. Apart from the required process determined by the Breach Notification Rule, the OCR has a designated breach portal that shares all current investigations with the public. As required by section 13402(e)(4) of the HITECH Act, the Secretary “must post a list of breaches of unsecured protected health information affecting 500 or more individuals.” Hence, the existence of the “wall of shame.” This portrays all major breaches that have been reported as well as the specific details on each breach. 

Don’t sweat the small (or the very big) stuff

When it comes to compliance; people make mistakes – it happens. The only thing is that when it comes to HIPAA, mistakes can be critical. Stop sweating the small (and really big) stuff through easy, accurate, and automated HIPAA compliance and eliminate the risk of human error, ensuring you protect PHI and your organization.

Share this article

A CTO’s Roadmap to Security Compliance: Your Go-To Handbook for Attaining SOC 2 and ISO 27001

Security Compliance for CTOs