Common HIPAA Violations Counselors Should Know About (and How to Avoid Them)

You work at the intersection of trust and confidentiality. This guide highlights the common HIPAA violations counselors encounter and, more importantly, how to avoid them with practical controls, clear procedures, and everyday habits that protect Protected Health Information (PHI).

Unauthorized Access to Patient Records

What it is

Viewing, using, or sharing PHI without a legitimate, job-related need. “Snooping” on a friend’s file, peeking at a high-profile client, or using another person’s login are classic examples.

How it happens

Shared passwords, unattended workstations, curiosity, or unclear Access Control Policies let staff access records beyond the “minimum necessary.”

How to avoid it

• Enforce unique user IDs, strong passwords, and multi-factor authentication.
• Apply role-based access with least-privilege permissions and periodic access reviews.
• Activate audit logs and routinely review access reports; document sanctions for misuse.
• Train all team members on appropriate use of PHI and consequences of violations.

Failure to Perform Risk Analysis

What it is

Skipping or minimizing enterprise-wide Risk Assessments required by the Security Rule. Without them, you can’t prioritize safeguards or justify decisions.

How it happens

Small practices assume they are “too small” to be targeted, or they only scan for malware rather than assessing administrative, physical, and technical risks.

How to avoid it

• Conduct a baseline risk analysis that inventories where PHI lives (EHR, email, mobile, backups, paper).
• Evaluate threats, vulnerabilities, likelihood, and impact; rank risks and set remediation timelines.
• Create a written risk management plan; track progress and residual risk.
• Repeat the assessment at least annually and whenever technology, vendors, or workflows change.

Inadequate Security Measures

What it is

Missing or weak safeguards that leave PHI exposed—unpatched systems, outdated telehealth apps, or no endpoint protection.

How it happens

“Set and forget” IT, consumer-grade tools, and no checklist for updates or incident response.

How to avoid it

• Standardize secure configurations, automatic updates, and anti-malware on all endpoints.
• Use vetted platforms for messaging and telehealth; verify they meet Encryption Standards.
• Back up data securely with encryption, test restorations, and maintain a disaster recovery plan.
• Document procedures for patching, incident triage, and escalation.

Improper Disposal of PHI

What it is

Throwing away, recycling, or donating items that still contain PHI. This includes paper files, printed labels, fax cover sheets, USB drives, and old phones or laptops.

How it happens

Lack of PHI Disposal Protocols, reliance on “delete” buttons, or unvetted shredding/e-waste vendors.

How to avoid it

• Paper: cross-cut shred, pulverize, or incinerate; secure bins until destruction.
• Electronic: perform secure wipe, cryptographic erase, or physical destruction before disposal or reuse.
• Use reputable destruction vendors with signed documentation; maintain certificates of destruction.
• Train staff on spotting PHI in “hidden” places like calendars, voicemails, and attachments.

Unauthorized Disclosure of PHI

What it is

Releasing PHI without proper authorization or a permitted disclosure basis—for example, emailing progress notes to the wrong recipient or oversharing in a voicemail.

How it happens

Auto-complete mistakes, misdialed numbers, unsecured email, hallway conversations, or group therapy rosters that reveal identities.

How to avoid it

• Verify recipient identity before sharing; use secure portals or encrypted channels.
• Apply the “minimum necessary” standard to all disclosures.
• Obtain written authorization when required and store it with the record.
• Use discreet scheduling and check-in processes to protect client privacy.

Lack of Business Associate Agreements

What it is

Working with vendors who touch PHI without executed Business Associate Agreements (BAAs). Examples include EHRs, billing services, cloud storage, transcription, telehealth, and shredding vendors.

How it happens

Assuming a vendor’s marketing materials equal compliance or forgetting subcontractors who also handle PHI.

How to avoid it

• Identify all business associates and subcontractors with PHI access; execute BAAs before sharing data.
• Ensure BAAs define permitted uses, required safeguards, breach reporting, subcontractor flow-down, and termination/return-or-destruction terms.
• Periodically review vendor practices and document due diligence.

Lost or Stolen Devices

What it is

Phones, tablets, laptops, or portable drives with ePHI that go missing—often from cars, public places, or unlocked offices.

How it happens

Local storage of PHI, disabled screen locks, no remote wipe, or using personal devices without controls.

How to avoid it

• Encrypt devices at rest; enable remote locate and wipe via a mobile device management solution.
• Use strong screen locks and automatic timeouts; avoid storing PHI locally when possible.
• Access PHI through secure, encrypted apps; maintain an asset inventory and check devices in/out.
• Never leave devices unattended in vehicles; secure offices and cabinets.

Insufficient Access Controls

What it is

Weak or missing mechanisms that limit who can view, create, or change PHI—leading to privilege creep and errors.

How it happens

Generic logins, no offboarding process, or “everyone is an admin” shortcuts that bypass Access Control Policies.

How to avoid it

• Implement role-based access control, least privilege, and unique user credentials.
• Require multi-factor authentication and automatic logoff for idle sessions.
• Review and revoke access promptly when roles change or staff depart.
• Monitor audit logs and set alerts for anomalous access patterns.

Failure to Use Encryption

What it is

Transmitting or storing PHI without encryption, leaving ePHI exposed if intercepted or devices are lost.

How it happens

Unencrypted email or texting, file shares without encryption, or backups stored in plain text.

How to avoid it

• Use encryption in transit (e.g., TLS) and at rest (e.g., full-disk/database encryption) aligned with recognized Encryption Standards.
• Protect keys with strong controls; separate key storage from encrypted data.
• Adopt secure messaging portals instead of standard email/SMS for PHI.
• Confirm vendors and backups are encrypted and covered by BAAs.

Exceeding Breach Notification Deadlines

What it is

Missing timeframes for notifying affected individuals, regulators, and—when applicable—the media after a reportable breach.

How it happens

Unclear incident response roles, delayed investigation, or poor documentation of Breach Notification Requirements.

How to avoid it

• Maintain a written incident response plan with decision trees, owners, and timelines.
• Start a risk-of-compromise analysis immediately upon discovery; document findings.
• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery; meet regulator and media obligations when thresholds apply.
• Keep a breach log, rehearse tabletop exercises, and pre-draft notification templates.

Consistent training, disciplined documentation, and practical safeguards turn these common HIPAA violations counselors face into avoidable non-events. Start with a fresh risk analysis, tighten Access Control Policies, verify Business Associate Agreements, and embed encryption and PHI Disposal Protocols into daily practice.

FAQs

What constitutes unauthorized access under HIPAA?

Any viewing, use, or disclosure of PHI without a legitimate job-based need, proper authorization, or another permitted purpose. Examples include snooping on acquaintances, using someone else’s credentials, or accessing records “just in case” without a treatment, payment, or operations reason.

How often should risk analysis be conducted?

Perform a comprehensive risk analysis at least annually and whenever you introduce new systems, vendors, or workflows. Treat it as an ongoing process: update your risk register, track remediation, and reassess after significant changes or incidents.

What are the requirements for disposing of PHI?

PHI must be rendered unreadable and indecipherable. That means cross-cut shredding or pulverizing paper, and securely wiping, cryptographically erasing, or physically destroying electronic media. Use documented PHI Disposal Protocols and obtain certificates of destruction from vendors.

When must breach notifications be issued?

Issue notifications without unreasonable delay and no later than 60 calendar days after discovering a reportable breach. Notify affected individuals, report to regulators as required, and if 500 or more residents of a state or jurisdiction are affected, provide media notice as well.