The Most Common HIPAA Violations and How They Happen
These aren't edge cases. These are the violations that HHS finds over and over again, at practices of every size.
HIPAA violations don't usually happen because someone decided to break the rules. They happen because nobody put the right safeguards in place, or the safeguards that exist aren't being followed.
The HHS Office for Civil Rights publishes enforcement actions publicly. If you look at the patterns, the same violations show up again and again. Here are the eight most common ones and how to make sure they don't happen at your practice.
1. No Security Risk Assessment
This is the number one HIPAA finding. It's not even close.
The HIPAA Security Rule requires covered entities to conduct a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI. If you haven't done one, you're in violation right now.
Real example: In 2023, a small medical practice in the Midwest was fined $75,000 specifically because they could not produce a security risk assessment. They had antivirus, backups, and a firewall. None of that mattered without the SRA.
How to prevent it: Conduct an SRA annually. Use the HHS Security Risk Assessment Tool as a starting point, or hire a compliance-focused IT provider to run one for you. Document the results and your remediation plan.
2. Lack of Access Controls
Every employee at the practice can see every patient's records. The billing person can view clinical notes. The front desk can access the EHR admin panel. Former employees still have active logins.
HIPAA requires the "minimum necessary" standard: people should only access the PHI they need to do their job. If everyone has full access to everything, that's a violation.
How to prevent it: Implement role-based access controls in your EHR and file systems. Review access quarterly. Terminate access immediately when employees leave.
3. Unencrypted PHI
Patient records sent via regular email. Laptops with PHI that aren't encrypted. USB drives with patient data that walk out the door. Unencrypted data is the easiest vulnerability to exploit and the easiest to fix.
While HIPAA calls encryption "addressable" rather than "required," if you choose not to encrypt and you experience a breach, you need a documented reason why encryption wasn't appropriate. Good luck explaining that to HHS.
How to prevent it: Enable full-disk encryption on all devices. Use encrypted email for any communication containing PHI. Prohibit PHI on removable media unless encrypted.
4. No Business Associate Agreements
Your IT provider, your cloud storage vendor, your billing company, your shredding service - anyone who handles PHI on your behalf is a business associate. HIPAA requires a signed BAA with each one before they access any PHI.
Many practices don't even know who their business associates are, let alone have agreements with all of them.
How to prevent it: Create a list of every vendor that touches PHI. Verify BAAs are in place for each. Include BAA requirements in your vendor onboarding process.
5. Failure to Train Employees
HIPAA requires security awareness training for all workforce members. Not just clinicians - everyone. The receptionist, the billing staff, the office manager, the IT person.
Untrained staff make mistakes: they click phishing emails, they share passwords, they leave computers unlocked, they discuss patient information in public areas.
How to prevent it: Conduct HIPAA security training at hire and annually. Document who completed it and when. Keep it practical - real scenarios, not just reading slides.
6. No Incident Response Plan
When (not if) a security incident happens, what does your practice do? If the answer is "figure it out at the time," that's a problem. HIPAA requires policies and procedures for responding to security incidents, including a process for breach notification.
The breach notification rule gives you specific timelines: individuals must be notified within 60 days of discovery. If the breach affects 500 or more people, you must also notify HHS and the media.
How to prevent it: Write an incident response plan. Include detection, containment, assessment, notification, and documentation steps. Test it at least annually.
7. Improper Disposal of PHI
Old computers donated without wiping the drives. Paper records thrown in the regular trash. Decommissioned servers sitting in a closet with patient data still on them.
HIPAA requires proper disposal of PHI in all forms. Electronic media must be wiped or destroyed. Paper must be shredded or incinerated.
How to prevent it: Establish a media destruction policy. Use certified data destruction services for electronic devices. Shred all paper containing PHI. Document disposal.
8. Inadequate Audit Controls
HIPAA requires hardware, software, and procedural mechanisms to record and examine activity in information systems that contain PHI. In simple terms: you need audit logs, and you need to actually review them.
Most EHR systems have built-in audit logging. But if nobody reviews those logs, inappropriate access goes undetected. The log exists but it's useless.
How to prevent it: Enable audit logging on all systems that contain PHI. Review logs regularly (monthly at minimum). Flag and investigate anomalies.
The Pattern
If you look at all eight violations, there's a clear pattern. None of them are exotic technical attacks. They're all basic hygiene: assess your risks, control access, encrypt data, train your people, document your processes, and have a plan for when things go wrong.
The practices that avoid HIPAA violations aren't doing anything complicated. They're doing the basics consistently and documenting the proof.
Concerned About HIPAA Gaps?
We'll check your practice against every common violation and tell you exactly where you stand.
Get a Free Assessment