Checklist of Employer HIPAA Violation Examples, Red Flags, and Best Practices

Use this practical checklist to spot and prevent employer HIPAA violations. It focuses on Protected Health Information (PHI) handled by employer-sponsored health plans and business associates. Remember: employment records themselves are not PHI, but PHI received for plan administration is covered and must be safeguarded.

Across all sections, anchor your program in clear Access Control Policies, Workforce Training Requirements, solid Business Associate Agreements, and documented Data Disposal Procedures. Apply the HIPAA Privacy, Security, and Breach Notification Rule consistently.

Unauthorized Access to PHI

Unauthorized access occurs when workforce members or vendors view, use, or disclose PHI without a legitimate plan administration or treatment/payment/operations purpose. This includes Electronic Protected Health Information (ePHI) in systems, email, or files.

Examples

• “Snooping” in an employee’s health plan claims out of curiosity.
• Using a coworker’s login to read medical records or eligibility data.
• Pulling PHI to make employment decisions (hiring, promotion, discipline).
• Sharing PHI with a manager who lacks a plan-related need to know.
• Vendor support staff accessing ePHI systems without proper authorization.

Red Flags

• Access to PHI outside job role or repeated viewing of the same record.
• Shared or generic accounts; missing unique user IDs and audit trails.
• Logins from unusual locations or times; failed login spikes.
• Requests for PHI “for HR files” or “just in case.”
• Lack of sanction activity despite audit anomalies.

Best Practices Checklist

• Enforce role-based access and the minimum-necessary standard; document Access Control Policies.
• Require unique IDs, strong authentication (preferably MFA), and automatic logoff.
• Review access quarterly; remove dormant accounts promptly.
• Log, monitor, and investigate access to PHI; maintain audit logs.
• Train workforce on permitted uses/disclosures and sanction violations.
• Execute and manage Business Associate Agreements for all vendors with PHI access.

Loss or Theft of Devices Containing PHI

Unsecured devices with PHI—laptops, smartphones, tablets, USB drives, or paper folders—pose theft and loss risks that often trigger breach analysis under the Breach Notification Rule.

Examples

• Stolen laptop with unencrypted spreadsheets of plan members.
• Lost phone containing email attachments with claims data.
• Misplaced USB drive holding eligibility exports.
• Papers with PHI left in a rideshare or hotel room.

Red Flags

• Devices lack full-disk encryption and screen-lock timeouts.
• Bring-Your-Own-Device (BYOD) without mobile device management (MDM).
• No asset inventory or checkout process for loaner devices.
• Local storage of PHI outside approved systems; no remote wipe.

Best Practices Checklist

• Encrypt all endpoints and removable media; enable auto-lock and remote wipe.
• Require MDM for BYOD; isolate work data in a managed container.
• Prohibit local PHI storage; use secure, access-controlled systems.
• Maintain device inventory, chain-of-custody, and rapid loss reporting.
• Upon loss/theft, initiate risk assessment and, if a breach occurred, follow the Breach Notification Rule.

Improper Disposal of PHI

Disposal must render PHI unreadable and unreconstructable. Weak or ad hoc practices create avoidable breaches and regulatory exposure.

Examples

• Throwing claim forms or EOBs into regular trash or recycling.
• Returning leased copiers or scanners without wiping stored images.
• Discarding hard drives without secure sanitization or destruction.

Red Flags

• No documented Data Disposal Procedures or retention schedule.
• Open recycling bins near printers used for PHI print jobs.
• No certificate of destruction from a shredding or IT disposal vendor.
• Business associates handle disposal without a proper agreement.

Best Practices Checklist

• Shred paper using cross-cut shredders or locked consoles with certified pickup.
• Sanitize or destroy media per recognized methods (for example, clearing/purging/destroying).
• Control custody from storage to destruction; document dates and quantities.
• Include disposal terms in Business Associate Agreements.
• Train staff on retention, hold orders, and disposal do’s/don’ts.

Discussing PHI in Public Areas

Oral disclosures can violate HIPAA when others can overhear. This risk has grown with hybrid work, open offices, and mobile calls.

Examples

• Speaking about an employee’s diagnosis in elevators, lobbies, or cafeterias.
• Using speakerphone in open areas to resolve a claims issue.
• Displaying PHI on screens visible to visitors or during video calls.

Red Flags

• No private spaces for plan administration conversations.
• Frequent speakerphone use or video calls in shared environments.
• Unattended screens showing PHI; no privacy screens.

Best Practices Checklist

• Reinforce minimum-necessary oral disclosures and need-to-know.
• Designate private areas and require headsets for PHI discussions.
• Use privacy screens and automatic screen locks.
• Remind staff to verify surroundings before speaking about PHI.
• Embed expectations into Workforce Training Requirements and sanctions.

Sending PHI to Incorrect Recipients

Misdirected messages—email, fax, file transfers, physical mail—remain a leading source of HIPAA incidents. Even limited data points can create risk.

Examples

• Emailing PHI to the wrong address due to auto-complete.
• Faxing plan records to a non-secure number or wrong facility.
• Attaching the wrong spreadsheet to a vendor upload.
• Mailing EOBs to outdated home addresses.

Red Flags

• Frequent “oops” emails, bounce-backs, or wrong-number faxes.
• No secure messaging or portal for PHI transmissions.
• Bulk mailings without quality checks or address validation.

Best Practices Checklist

• Use secure portals or encrypted email for PHI; disable email auto-complete for sensitive groups.
• Apply DLP and attachment scanning; add a brief send-delay rule for last-second corrections.
• Confirm recipient identity and address/number before sending.
• Use cover sheets with minimum PHI for fax; verify fax numbers via directory, not memory.
• If misdirected, retrieve/contain, complete risk assessment, and follow the Breach Notification Rule if required.

Failure to Provide Patients Access to Their Records

Individuals have a right to access their PHI. For employer plans, this often means timely access to plan records and designated record sets.

Examples

• Delaying access beyond the allowed timeframe without a valid extension.
• Charging unreasonable, non–cost-based fees for copies.
• Refusing to send records in the reasonable format requested.
• Ignoring valid third-party directives from the individual.

Red Flags

• No tracked queue for Right of Access requests or due dates.
• Confusion between employment records and PHI in plan files.
• Repeated complaints to HR or the plan about missing records.

Best Practices Checklist

• Publish a clear process, contact point, and timeline (with allowable extension) for access requests.
• Provide records in the format requested when feasible; support secure electronic delivery for ePHI.
• Charge only reasonable, cost-based fees as permitted.
• Track requests end to end; escalate nearing deadlines.
• Train staff to distinguish employment records from plan PHI.

Insufficient ePHI Access Controls

The HIPAA Security Rule requires administrative, physical, and technical safeguards for ePHI. Weak controls increase breach likelihood and impact.

Examples

• Shared admin accounts; no multi-factor authentication.
• Unpatched systems, open remote access, or weak passwords.
• No session timeouts, encryption, or audit logging in critical apps.
• Overprivileged users and stale vendor accounts.

Red Flags

• Failed security tests or recurrent phishing compromises.
• Audit logs not reviewed; alerts ignored.
• Inconsistent onboarding/offboarding and entitlement reviews.

Best Practices Checklist

• Document and enforce Access Control Policies: least privilege, unique IDs, MFA, and automatic logoff.
• Encrypt ePHI in transit and at rest; segment networks and restrict remote access.
• Maintain comprehensive logging; correlate events and investigate promptly.
• Perform periodic risk analysis, vulnerability management, and patching.
• Vet business associates; verify safeguards and incident response expectations in agreements.
• Provide recurring Workforce Training Requirements and phishing simulations.

Key Takeaways

• Most violations stem from preventable control gaps and training misses.
• Strong governance—policies, BAAs, audits, and rapid incident response—reduces risk.
• Embed privacy by design: minimum necessary access, secure workflows, and disciplined disposal.

FAQs

What are common examples of employer HIPAA violations?

Frequent issues include snooping in plan records, sharing logins, emailing PHI to the wrong recipient, leaving PHI on unencrypted devices, discarding documents without shredding, discussing PHI where others can overhear, and delaying individual access to records. Each can trigger risk assessment and, in some cases, breach notification duties.

How should employers handle lost devices containing PHI?

Act immediately: attempt remote lock/wipe, change credentials, and contain any accounts accessible from the device. Inventory what PHI could be involved, perform a documented risk assessment, and determine if the Breach Notification Rule applies. Strengthen controls afterward—encryption, MDM, minimal local storage, and user training.

When must breach notifications be sent under HIPAA?

After discovering a breach of unsecured PHI, notify affected individuals without unreasonable delay and no later than 60 calendar days. For incidents affecting 500 or more individuals in a state or jurisdiction, notify the media and the federal authority within the same 60-day outer limit; for fewer than 500, submit the federal notice annually within specified timelines. Always document your assessment and decisions.

What training is required to prevent HIPAA violations by employees?

Provide role-based onboarding and periodic refreshers covering permitted uses/disclosures, minimum necessary, secure handling of ePHI, incident reporting, disposal, and right-of-access workflows. Include phishing awareness, secure messaging practices, and scenario-based exercises. Track completion, test comprehension, and enforce sanctions for noncompliance.