What Counts as a HIPAA Violation?

Imagine discovering that your mother-in-law, who works at a medical facility, accessed your child's confidential medical records without permission, photographed them, and shared them with your ex-partner during a heated custody battle. This isn't a hypothetical scenario—it's a real privacy breach that happens more often than you might think, and it represents a serious violation of federal law.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) stands as the cornerstone of patient privacy protection in the United States. But what exactly counts as a HIPAA violation? This article breaks down the definition of HIPAA violations, provides real-world examples with actual consequences, and outlines specific steps you can take if you believe your privacy rights have been violated.

Understanding the Basics of HIPAA

Before diving into what constitutes a violation, it's important to understand what HIPAA protects and who must comply with its regulations.

Protected Health Information (PHI)

HIPAA safeguards what's known as Protected Health Information (PHI)—any individually identifiable health information that is created, received, maintained, or transmitted by covered entities and their business associates. This includes:

• Names, addresses, and birth dates
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Full-face photographs
• Any other unique identifying characteristic
• Diagnoses, treatment information, and medication history
• Billing and payment information

PHI can exist in any form—electronic, paper, or verbal—and HIPAA rules apply to all of them.

Who Must Comply with HIPAA?

Not everyone who handles health information is bound by HIPAA regulations. The law specifically applies to:

Covered Entities:

• Health Plans (Medicare, Medicaid, private insurers)
• Healthcare Providers (doctors, clinics, hospitals, pharmacies) who transmit health information electronically
• Healthcare Clearinghouses (entities that process nonstandard health information)

Business Associates: Individuals or organizations that perform functions involving PHI on behalf of a covered entity, such as:

• Billing companies
• IT service providers
• Cloud storage services
• Electronic Health Record (EHR) vendors
• Attorneys handling healthcare matters

One of the core principles of HIPAA is the Minimum Necessary Standard, which requires covered entities to make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose.

What Exactly Is a HIPAA Violation?

A HIPAA violation is any failure to comply with any aspect of HIPAA regulations, including the Privacy Rule, Security Rule, and Breach Notification Rule. Violations can range from seemingly minor infractions like sending an email to the wrong patient to major breaches like selling patient information for profit.

The scale of this issue is significant. According to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which enforces HIPAA, over 374,321 HIPAA complaints have been received since April 2003. Of these, OCR has settled or imposed civil money penalties in 152 cases, totaling more than $144.8 million.

Common categories of HIPAA violations include:

• Unauthorized access, use, or disclosure of PHI
• Failure to perform an organization-wide risk analysis
• Lack of safeguards to protect health information
• Improperly disposing of PHI
• Denying or delaying patient access to their own records
• Insufficient employee training on privacy procedures

Top 10 Common HIPAA Violations and Real-World Examples

Understanding what counts as a HIPAA violation becomes clearer when examining specific examples. Here are the ten most common violations, along with real cases that resulted in substantial penalties:

1. Snooping on Healthcare Records

One of the most frequent violations occurs when healthcare employees access patient records without a legitimate work reason—often out of curiosity or personal interest.

Real-world example: University of California Los Angeles Health System was fined $865,000 after employees repeatedly accessed celebrity patients' medical records without authorization. In similar cases, employees have been fired for checking records of family members, neighbors, or co-workers out of curiosity.

2. Failure to Perform an Organization-Wide Risk Analysis

HIPAA requires covered entities to conduct thorough assessments of potential risks to electronic PHI.

Real-world example: Premera Blue Cross paid a $6,850,000 settlement for systemic noncompliance, including failures in risk analysis that left the PHI of over 10.4 million people vulnerable to a cyberattack.

3. Failure to Manage Security Risks

Even when organizations identify risks, they sometimes fail to address them properly.

Real-world example: The Alaska Department of Health and Social Services paid $1.7 million for failing to manage risks after a portable hard drive containing ePHI was stolen.

4. Denying Patients Access to Their Health Records

HIPAA grants patients the right to access their medical records within 30 days of a request.

Real-world example: Cignet Health of Prince George's County was fined $4.3 million for denying 41 patients access to their medical records and then failing to cooperate with the OCR's investigation.

5. Failure to Use Encryption (or an Equivalent Measure)

While HIPAA doesn't explicitly require encryption, it is an "addressable" requirement, meaning organizations must implement it or an equivalent alternative.

Real-world example: Children's Medical Center of Dallas paid a $3.2 million settlement after the unencrypted PHI of over 3,800 individuals was lost on mobile devices.

6. Exceeding the 60-Day Breach Notification Deadline

Covered entities must notify affected individuals within 60 days of discovering a breach.

Real-world example: Oklahoma State University – Center for Health Sciences paid $875,000 for multiple HIPAA violations, including delayed breach notifications.

7. Impermissible Disclosures of PHI

This occurs when patient information is shared without proper authorization.

Real-world example: A physician at New York's Mount Sinai Hospital was fired after posting a photo of a patient on Facebook without consent. In another case, a nurse was terminated for discussing a patient's condition on social media.

8. Improper Disposal of PHI

Organizations must properly destroy PHI when it's no longer needed.

Real-world example: New England Dermatology and Laser Center was fined $300,640 for improperly disposing of specimen containers with PHI labels in a public dumpster.

9. Insufficient ePHI Access Controls

This involves failing to limit who can access electronic health records.

Real-world example: Anthem Inc. paid a record $16 million penalty following a massive data breach affecting 79 million people, partly due to failures in access controls.

10. Failure to Enter into a HIPAA-Compliant Business Associate Agreement

Covered entities must have written agreements with their business associates before sharing PHI.

Real-world example: MedEvolve, Inc. paid $350,000 for lacking a business associate agreement with a subcontractor who had access to PHI.

The Consequences of Breaking HIPAA Rules

The penalties for HIPAA violations can be severe, both for organizations and individuals.

For Organizations (Covered Entities & Business Associates)

The OCR can impose civil monetary penalties based on four tiers of culpability:

• Tier 1 (Unaware): $141 to $70,698 per violation when the entity didn't know and couldn't reasonably have known about the violation
• Tier 2 (Reasonable Cause): $1,414 to $70,698 per violation
• Tier 3 (Willful Neglect - Corrected): $14,140 to $70,698 per violation
• Tier 4 (Willful Neglect - Not Corrected): At least $70,698 per violation

These penalties are capped at $2,134,831 annually for identical violations, but multiple types of violations can exceed this cap.

For Individuals (Workforce Members)

Individual employees who violate HIPAA may face:

• Termination of employment
• Professional sanctions from licensing boards
• Criminal charges prosecuted by the Department of Justice

Criminal penalties for individuals can include:

• Up to $50,000 fine and 1 year in prison for knowingly violating HIPAA
• Up to $100,000 fine and 5 years in prison for violations under false pretenses
• Up to $250,000 fine and 10 years in prison for violations with intent to sell, transfer, or use PHI for personal gain or malicious harm

What to Do If You Suspect Your Privacy Has Been Violated

If you believe your health information privacy has been breached, take these steps:

1. Contact the Provider's Compliance Department Call the healthcare organization and ask to speak with their Compliance Department or Privacy Officer. Clearly explain your concerns and request an investigation.
2. Request an Audit of Your Records Systems like Epic (used by many healthcare providers) log every access to patient charts. Formally request a detailed audit showing who has accessed your medical records, when, and why.
3. Ask for Enhanced Security on Your Records Request a "Break the Glass" protocol be placed on your chart. This security feature requires users to provide justification before accessing your information and often triggers automatic notifications of access attempts.
4. File an Official HIPAA Complaint You can submit a complaint directly to the HHS Office for Civil Rights through their online portal. Complaints must be filed within 180 days of when you knew or should have known about the violation.
5. Consult a Lawyer While HIPAA doesn't allow individuals to sue directly for violations, you may have recourse under state privacy laws. An attorney specializing in privacy law can help determine if you can pursue damages for emotional distress or other harms if your provider was negligent in securing your information.

Understanding Your Rights Protects Your Privacy

HIPAA violations range from careless mistakes to malicious breaches of trust, and the consequences can be severe for those who fail to safeguard patient information. By understanding what constitutes a violation and knowing the steps to report one, you can take control of your health information and hold organizations accountable for protecting your privacy.

Remember that healthcare providers have a legal and ethical obligation to maintain the confidentiality of your medical information. When they fail to meet this standard, you have the right—and the means—to seek redress.

Frequently Asked Questions (FAQ)

What is considered a HIPAA violation?

A HIPAA violation is any failure by a covered entity or its business associates to comply with the Health Insurance Portability and Accountability Act's rules for protecting patient privacy and data security. This can range from an employee snooping on medical records without authorization and improper disposal of documents to large-scale data breaches caused by inadequate security. Essentially, if your protected health information (PHI) is used or disclosed in a way not permitted by the HIPAA Privacy Rule, it's a violation.

Who is required to follow HIPAA rules?

HIPAA rules must be followed by "covered entities" and their "business associates." Covered entities are health plans, healthcare clearinghouses, and most healthcare providers (like doctors, hospitals, and pharmacies). Business associates are individuals or companies that perform services for covered entities involving patient data, such as billing companies, IT providers, and cloud storage services.

How can I find out if someone illegally accessed my medical records?

You can find out if someone illegally accessed your medical records by formally requesting an audit trail or access report from the healthcare provider's Privacy Officer or Compliance Department. This report logs every instance of access to your electronic health record, showing who viewed your information and when. If you suspect unauthorized access, this audit is crucial evidence.

Can I sue a hospital or individual for a HIPAA violation?

No, you cannot directly sue an individual or organization for a HIPAA violation, as the law does not grant a "private right of action." However, you can file an official complaint with the U.S. Department of Health and Human Services (HHS), which can lead to investigations and significant fines. You may also be able to sue under state laws for related issues like negligence or invasion of privacy.

What should I do if my healthcare privacy is violated?

If you believe your healthcare privacy has been violated, you should first contact the provider's Privacy Officer, request an audit of your records, and then file an official complaint with the HHS Office for Civil Rights (OCR) within 180 days of the incident. Clearly document the violation, including dates, names, and any evidence you have.

What are the penalties for violating HIPAA?

Penalties for HIPAA violations include substantial civil fines for organizations, ranging from about $141 to over $70,000 per violation, and criminal charges for individuals, which can lead to prison time and fines up to $250,000. The severity depends on the level of negligence. Organizations face tiered fines, while individuals who knowingly misuse health information can face termination, professional sanctions, and federal prosecution.