All the Following Activities Are Acceptable Under HIPAA—Except: Common Violations Explained

It’s easy to assume everyday workflows are compliant until a privacy incident proves otherwise. This guide clarifies which routine actions are not acceptable under HIPAA and how to correct them before they become violations. You’ll see how Protected Health Information (PHI) is commonly mishandled and how to put practical safeguards in place to stay compliant.

PHI includes any individually identifiable health information—paper, verbal, or electronic (ePHI). When you understand where PHI lives, who touches it, and why, you can align processes with Access Control Policies, Risk Analysis Procedures, Encryption Standards, HIPAA Compliance Training, Secure Disposal Methods, and timely Data Breach Notification.

Unauthorized Access to PHI

Unauthorized access happens when someone views, uses, or retrieves PHI without a legitimate job-related need. Curiosity, convenience, or shared passwords don’t qualify as a lawful basis, even if no data leaves the system.

What this looks like

• Opening a patient’s chart “just to check” without involvement in care.
• Using a shared workstation login to browse ePHI.
• Keeping access after job changes or offboarding, then viewing records.

How to prevent it

• Define and enforce Access Control Policies built on least privilege and role-based access.
• Issue unique user IDs, require multi-factor authentication, and prohibit shared credentials.
• Log, monitor, and routinely audit access; investigate anomalous access promptly.
• Deliver HIPAA Compliance Training at onboarding and periodically, with clear sanctions for violations.
• Remove or modify access immediately when roles change; verify physical safeguards for paper files.

Sharing PHI Without Consent

HIPAA permits disclosures for treatment, payment, and healthcare operations (TPO) without individual authorization. Outside of TPO or other permitted exceptions, sharing PHI without a valid authorization violates the Privacy Rule—especially when the disclosure exceeds the minimum necessary standard.

Risky scenarios

• Emailing PHI to a personal account to “finish work at home.”
• Discussing a patient in public spaces where others can overhear.
• Sending detailed diagnoses in voicemails or texts without safeguards.
• Disclosing to vendors lacking a Business Associate Agreement (BAA).

Safe practices

• Use authorizations when required and limit disclosures to the minimum necessary.
• Verify identities before sharing; use secure portals or encrypted channels for ePHI.
• Confirm BAAs with third parties; de-identify data when feasible.
• Reinforce expectations through role-based HIPAA Compliance Training and periodic refreshers.

Improper Disposal of PHI

Improper disposal exposes PHI long after it’s needed. Paper in recycling bins, unsecured storage boxes, or residual data on hard drives can all lead to breaches. You need Secure Disposal Methods that render PHI unreadable and irrecoverable.

Do not

• Discard paper records intact or leave them in unlocked bins.
• Donate, resell, or return devices without validated data sanitization.
• Overlook copier/printer drives, USBs, or backup media during decommissioning.

Do instead

• Shred, pulp, or incinerate paper; use locked consoles with documented chain-of-custody.
• Sanitize electronic media per recognized Secure Disposal Methods (for example, validated wiping or physical destruction) and keep destruction certificates.
• Follow retention schedules and verify vendors contractually and operationally.

Insufficient ePHI Access Controls

Even if staff intend to follow the rules, weak technical safeguards invite misuse and breaches. Insufficient controls usually mean policies exist on paper but aren’t enforced in systems and workflows.

Common gaps

• Shared or generic accounts and no multi-factor authentication.
• Overly broad roles that grant access to entire databases.
• Misconfigured cloud storage, long session timeouts, or inactive account sprawl.
• Limited audit logging or no review of access reports.

Controls that work

• Harden Access Control Policies with unique IDs, MFA, automatic logoff, and session timeouts.
• Apply least privilege and role-based access; segment networks and sensitive datasets.
• Continuously log and review access; alert on anomalous behavior.
• Use mobile device management for remote wipe and device encryption; tighten offboarding.

Lack of Risk Analysis

HIPAA requires an accurate and thorough assessment of risks to ePHI. Skipping or minimizing Risk Analysis Procedures leaves blind spots—especially during technology changes, mergers, or rapid growth.

What a strong risk analysis includes

• Inventory of systems, data flows, and where PHI/ePHI resides.
• Threat and vulnerability assessment with likelihood and impact ratings.
• Evaluation of existing controls, residual risk, and prioritized remediation plans.
• Documentation of decisions, owners, timelines, and validation of control effectiveness.
• Third-party and vendor risk reviews integrated with BAAs.

Operational cadence

• Perform a comprehensive assessment at least annually and upon significant changes (new EHR, telehealth rollouts, cloud migrations).
• Track remediation to closure and test controls; feed results into training and policy updates.

Failure to Use Encryption

Encryption is “addressable” under the Security Rule, but in practice it’s expected whenever it is reasonable and appropriate. Without it, routine operations—emailing records, storing backups, or using laptops—can expose ePHI if devices are lost or messages are intercepted.

Where to encrypt

• In transit: enforce modern Encryption Standards for email, APIs, and portals.
• At rest: full-disk encryption on laptops and mobile devices; server, database, and backup encryption.
• Removable media: prohibit or tightly control and encrypt USBs and external drives.

Implementation tips

• Standardize on strong Encryption Standards, manage keys securely, and rotate them periodically.
• Disable outdated protocols; document any compensating controls if encryption is not feasible.
• Test and monitor encryption coverage; include requirements in vendor contracts.

Failure to Report Data Breaches

The Breach Notification Rule requires notifying affected individuals and regulators without unreasonable delay and no later than 60 calendar days after discovering a breach. For incidents affecting 500+ individuals in a jurisdiction, you must also notify prominent media. Smaller breaches must be reported to regulators annually within the prescribed window.

What to do immediately

• Contain the incident, preserve evidence, and initiate your incident response plan.
• Conduct a risk assessment to determine the probability of compromise and whether notification is required.
• Coordinate with business associates, legal, and leadership; prepare Data Breach Notification content (what happened, what information was involved, steps individuals can take, your corrective actions, and contact information).

Avoid these pitfalls

• Waiting for a full root-cause analysis before notifying when the clock has started.
• Assuming encryption always eliminates notification—confirm whether data was actually unreadable.
• Failing to document your assessment or to meet notification timelines.

Conclusion

Most violations stem from routine shortcuts: peeking at records, oversharing, weak access controls, skipped risk analysis, missing encryption, poor disposal, or slow reporting. If you embed strong Access Control Policies, follow disciplined Risk Analysis Procedures, apply robust Encryption Standards, deliver ongoing HIPAA Compliance Training, use Secure Disposal Methods, and execute timely Data Breach Notification, you turn everyday workflows into reliable compliance.

FAQs

What activities violate HIPAA regulations?

Common violations include accessing PHI without a job-related need, sharing PHI beyond permitted purposes or without valid authorization, disposing of records insecurely, operating with weak ePHI access controls, skipping risk analysis, failing to encrypt where reasonable and appropriate, and missing or delaying required breach notifications.

How is unauthorized access to PHI prevented?

Prevent it by enforcing Access Control Policies with least privilege, unique IDs, and multi-factor authentication; logging and auditing access; rapidly adjusting access during role changes; reinforcing expectations through HIPAA Compliance Training and sanctions; and protecting physical records with locked storage and clean-desk practices.

What are the consequences of failing to report data breaches?

Consequences can include regulatory penalties, mandated corrective action plans, heightened oversight, contractual and reputational damage, litigation exposure, and loss of patient trust. Missing timelines or providing incomplete Data Breach Notification often increases enforcement risk and remediation costs.

How should PHI be securely disposed of?

Use Secure Disposal Methods that render PHI unreadable and irrecoverable: cross-cut shredding, pulping, or incineration for paper, and validated media sanitization or physical destruction for electronic devices and storage. Maintain destruction logs, verify vendor practices, and follow retention schedules to ensure consistent, compliant disposal.