What Constitutes a HIPAA Violation? 5 Mistakes To Prevent In Your Physician Practice

Does your physician practice have privacy/security policies and procedures in place? Do you periodically review these procedures and policies? Is your HIPAA training planned to update everyone and new employees as necessary? Do you follow a culture of privacy? Can you identify the gaps in your data security? Can you address these gaps? You must know the answers to these questions so you can protect your practice from drastic issues.

HIPAA compliance is a continuous procedure. It is the top priority for physicians and healthcare organizations. The significant aspect of the healthcare sector is to protect patient privacy. However, even the most experienced physicians can make HIPAA mistakes. According to a study from the past 17 years, there have been over ¼ million HIPAA complaints received. So, it is highly crucial to stay updated on all the HIPAA regulations and rules as the healthcare industry & technology evolves.

Related Article: What is top of mind for revenue cycle management billing leaders in upcoming years

Currently, entities that provide essential care services to patients are mostly targeted by cybercriminals, hackers, and different malicious individuals for gaining access to private medical data. The HIPAA of 1996 helped ensure that individuals should maintain healthcare coverage and cut down on healthcare fraud. Many updates have been made to HIPAA since its original creation to help improve the privacy protection for health plan members and patients. In the present time, the most common issue in the industry is HIPAA violation.

What Constitutes a HIPAA Violation?

A failure to comply with any aspect of HIPAA provisions and standards leads to HIPAA violations. It happens when PHI is disclosed, used, and accessed in a manner that will lead to a personal risk to consumers. Here are various distinctive ways that it can occur, some of them are given below;

  • Unauthorized access to highly confidential patient information.
  • Failure to accurately dispose of patients’ sensitive data.
  • Exchange PHI via texting.
  • Failing to provide patients with request copies of their PHI.
  • Missing or lost patient records.
  • Mismailing PHI.
  • PHI sharing through social media.

What Happens If You’re Caught In Any Violations Of HIPAA?

What the response will be following a violation of HIPAA? Your HIPAA business associate compliance checklist would have definite blueprints. The event that happens generally after a violation is highly dependent on what type of violation takes place? Following are the types;

Criminal HIPAA Violations
It occurs when a person with malicious intent and knowingly commits a violation, like a HIPAA violation of social media. This violation for obvious reasons combines with harsh penalties.

  • If a person under false pretenses commits the violation, the penalty would be; up to 5 years in jail and a $100,000 fine.
  • If a person knowingly discloses or obtains PHI, the penalty would be; up to 1 year in jail and a $50,000 fine.
  • If a person for personal profits and interest (for example selling PHI) commits this violation, then the penalty would be; up to 10 years in jail and a $250,000 fine.

Civil HIPAA Violations

It occurs when a person without malicious intent or accidentally commits a violation. This type of violation occurs due to ignorance of law and carelessness. This leads to a fine typically. The size of the penalty is dependent on the particular act’s severity.

  • If a person didn’t act with willful neglect and had a reasonable cause to commit the violation, the fine would be; a minimum of $1,000.
  • If individuals were not aware they were committing the violation, the fine would be; per violation a minimum of $100.
  • If a person did not fix the issue and was acting with willful neglect, the fine would be; per violation a minimum of $50,000.
  • If a person fixes the issue and was acting with willful neglect, the fine would be; per violation a minimum of $10,000.

Within 60 days of discovery, all accidental violations must be known to the covered entity according to the HIPAA rules. One way to cope with this situation is to recognize the common mistakes, pitfalls, and missteps that are associated commonly with HIPAA law violations. From documented privacy practices to data storage, here are the six most common HIPAA mistakes that physician practices make, and some best ways to avoid them.

Unauthorized Disclosure Of Information

The very common mistake that a physician makes is to disclose the PHI without authorization. You could be at risk for a breach when discussing a patient at a front desk with your staff, talking with a friend about a mutual acquaintance, or filing patient information in a wrong chart of another patient. It also leads to violation even if accidentally sending PHI to the wrong recipient.

PHI must be only discussed with people who are authorized in private settings. Never discuss such data in an open setting, also instruct your staff about this stuff. You must ensure that you are delivering the data to an authorized recipient- verify first then transmit information.

Random Human Error

Physician practices have a lot on their plates. In many cases, the clear violation of HIPAA is mishandling records that are the most common human error. It must ensure that all the data of patients are secured to comply with the HIPAA. So, it would result in a fine if reported or caught when you leave a file in clear view of other people in a waiting area. Nowadays, these violations may occur through different communication channels like social media/text messages, etc.

While physicians may see it as the best way to communicate with consumers, it is a common HIPAA mistake to expose patient information like this. However, if both groups have HIPAA-specified encryption systems in their devices in that scenario texting can be HIPAA compliant between authorized individuals. You must have clear procedures. Conducting a thorough training on what kind of data can be sent via social media would not lead to a violation.

Sharing Passwords & Usernames

Based on the Security Standards of HIPAA, the required technical safeguard is to assign every staff member a unique user identifier to access the PHI. Your EMR with a unique login will provide an audit trail and the ability to track or identify the user activities.

Your employees should not share these credentials with anyone. If they do, they will directly violate HIPAA. Moreover, your physician practice will be put at risk of other violations (like a lack of access controls and unauthorized access to information). Your efforts will also be undermined in maintaining HIPAA compliance.

Inadequate Risk Analysis Procedures & Policies

The important thing to protect your business is to take time documenting your policy for that event and examining where a breach can happen. For example, you must have a digital media policy that shows what safeguards or access controls- you can implement and how devices can be encrypted.

Policy details, what steps to take in the event of the breach, how it is to be used, and who has access to PHI? You must follow these policies periodically instead of writing these policies simply. As your practice grows, encourage your staff to point out potential violations, and discuss the importance of establishing policies and different ways of handling PHI with them.

Visit our complete road map for reducing healthcare malpractices. 

Improper Disposal Or Storage Of Records

It can make a huge difference to your patients as there is a wrong and right way to dispose of PHI documents. A few years back a practice faced a $125,000 fine due to discarded documents in an unlocked container containing about 1500 patients’ PHI in a dumpster that was publicly accessible. Regardless of whether your patients’ records are kept on digitally or manually, the proper storage/disposal of PHI is necessary.

You must take special care and ensure that the data is kept out of sight from unauthorized parties. Simply throwing a crumpled-up document in the trash and deleting a file from your computer is not sufficient. Administrative staff must be trained to ensure that your records don’t end up in the wrong hands by properly storing or disposing of the patient’s records.


Physicians can take professional support to develop as well as implement a comprehensive plan for HIPAA compliance. Failing to pay attention to training or reliance on prepackaged material can lead to errors- resulting in liability to the practice. An outsourced HIPAA compliant management partner like PBC ensures your penalties are as close to the number zero as possible and navigates you to the ever-increasing complexities of HIPAA.

Don’t risk making the above-mentioned expensive mistakes. Schedule your HIPAA risk assessment today to see a remarkable difference!


Contact Us