Though HIPAA has held covered entities to federal security and privacy standards since 2003, health care providers are still adjusting their practices to ensure compliancy. While abiding by HIPAA regulations will likely always be an ongoing process, as technology and protocols constantly change, the Office of Civil Rights and the Centers for Medicare & Medicaid Services expect covered entities to follow best practice and remain compliant. To keep up with the ever-evolving policies, it's imperative that medical practices have policies, processes and supportive tools in place.

According to the U.S. Department of Health and Human Services, between April 14, 2003, and Sept. 30, 2015, the Office of Civil Rights received 121,576 complaints. Each year the number of investigated complaints deemed a violation exceeded those that were not infractions during this period. In fact, the number of violations per year generally increased.

Risks of HIPAA violations

There are a number of ways covered entities can violate HIPAA regulations. Failure to obtain authorization and the improper storage of PHI and ePHI can present issues, but remaining knowledgeable and organized are perhaps the biggest challenges. Covered entities must always be prepared for compliance reviews, as the OCR looks into organizations for both complaints and regular audits.

Ultimately, investigations seek to correct covered entities' policies and procedures to better safeguard patient privacy. Health care providers may be subject to civil monetary penalties and even jail time, and experts expect fines to increase. Currently, fees range from $100 per violation when a covered entity unknowingly breaks the law, to $50,000 per violation for willful negligence. The Secretary of the Department of Health and Human Services has charged covered entities as much as $4.8 million in a single investigation.

Making compliance easy

HIPAA Help Center provides end-to-end HIPAA compliance support in a way that streamlines, rather than complicates, your business.

10 Common HIPAA Violations


Improperly storing health information

Covered entities often use technological devices such as laptops to house electronic protected health information. According to the U.S. Department of Health and Human Services, the HIPAA Security Rule requires...

Read More


Releasing information to an undesignated party

Covered entities must obtain authorization prior to releasing a patient's protected health information. This is true for any reason besides those listed under the HIPAA Privacy Rule as events that...

Read More


Releasing unauthorized health information

Authorized health information refers to protected health information that a patient has given approval for a covered entity to release to a designated party. Patients grant this authorization through a...

Read More


Failing to include the right to revoke clause

Health care providers cannot disclose protected health information without patient authorization. Patients grant authorization through a signed form that contains the names of those who will disclose and receive the...

Read More


Releasing the wrong patient's health information

Only the patient, the patient's personal representative and authorized parties may receive protected health information. Authorized parties include either those designated on a patient-signed authorization or covered entities using the...

Read More


Noncompliance with patient signature requirements

Covered entities must obtain authorization from a patient or the patient's personal representative to disclose protected health information under the HIPAA Privacy Rule. Authorizations of this nature must contain specifics...

Read More


Failing to release information to patients

The HIPAA Privacy Rule grants patients or their personal representatives the right to receive, inspect and review their health information, including medical and bill records, on demand. Covered entities must...

Read More


Improperly disposing of patient records

Under the HIPAA Privacy Rule, covered entities must create policies to safeguard all protected health information from the view of unauthorized individuals. The Security Rule requires covered entities to have...

Read More


Violating the authorization expiration date

Covered entities under the HIPAA Privacy Rule, which includes all care providers, must obtain written authorization before releasing protected health information under certain circumstances. For example, authorization is required before...

Read More


Granting unauthorized access to medical records

Covered entities must obtain patient authorization to release protected health information. If a covered entity discloses PHI without authorization, these individuals may be in violation of the HIPAA Privacy Rule....

Read More

Make time for what matters most
Your Patients