Employer HIPAA Compliance Guide: Examples of Violations and Required Remediation

Your organization’s group health plan—and any vendors that support it—handle Protected Health Information (PHI). When you access, use, or disclose PHI on behalf of the plan, you must maintain HIPAA Security Rule Compliance and follow the Privacy and Breach Notification Rule. The guidance below focuses on common employer pitfalls and the required remediation steps.

Unauthorized Access to PHI

What it looks like

• Employees “snoop” in medical claims of coworkers or family without a job-related need.
• Shared logins or weak passwords let users view plan data beyond their role.
• Improper offboarding leaves former staff with lingering access to PHI systems.

Required remediation

• Enforce Access Control Measures: unique user IDs, role-based access, least-privilege, and multi-factor authentication.
• Enable robust audit logs and conduct periodic access reviews; document findings and corrective actions.
• Tighten offboarding: same-day account deprovisioning, badge/asset recovery, and removal from distribution lists.
• Retrain staff on permitted uses/disclosures and sanctions for violations.

Proof and prevention

• Maintain an access roster, privilege change records, and quarterly attestations by managers.
• Integrate unauthorized-access scenarios into Incident Response Procedures and run drill tests.

Improper Disposal of PHI

What it looks like

• Discarding benefits rosters, EOBs, or appeals letters in regular trash or recycling.
• Reselling, returning, or donating drives and copiers without secure data wiping.
• Using e-waste vendors that cannot certify compliant destruction.

Required remediation

• Adopt a media and document disposition policy with chain-of-custody controls.
• Shred paper onsite or use locked bins with bonded vendors; obtain certificates of destruction.
• Sanitize media using approved Data Encryption Standards and NIST-aligned wiping or physical destruction.
• Inventory PHI repositories to ensure nothing is overlooked during purges or office moves.

Proof and prevention

• Keep vendor contracts, service logs, and destruction certificates for retention periods.
• Spot-audit disposal containers and conduct surprise walk-throughs.

Failure to Perform Risk Analysis

What it looks like

• No documented enterprise-wide assessment of threats to ePHI across systems, people, and processes.
• One-time analysis that never updates as technology, vendors, or workflows change.
• Controls selected without mapping to identified risks or residual risk acceptance.

Required remediation

• Establish Risk Assessment Protocols: define scope, inventory systems and data flows, evaluate threats and vulnerabilities, rate likelihood/impact, and document residual risk.
• Create a risk register with owners, mitigation plans, timelines, and acceptance criteria.
• Review and refresh at least annually and upon major changes (new vendors, platforms, or integrations).

Proof and prevention

• Maintain the signed risk analysis, risk register, meeting notes, and evidence of completed mitigations.
• Align selected safeguards to HIPAA Security Rule Compliance requirements and your control framework.

Unsecured Communication Channels

What it looks like

• Sending PHI via standard email or consumer texting apps without encryption.
• Discussing PHI over voicemail or chat tools that lack retention and audit capabilities.
• Using personal email accounts or cloud storage for plan documents.

Required remediation

• Move PHI exchanges to secure portals or messaging that enforce Data Encryption Standards in transit and at rest.
• Configure email DLP rules, TLS enforcement, message recall/expiration, and disclaimers.
• Restrict forwarding, printing, and downloading of PHI; enable audit trails and retention policies.
• Provide members with secure alternatives for submitting forms or claims.

Proof and prevention

• Document technical configurations, DLP rule sets, encryption settings, and test results.
• List approved channels and ban unapproved apps in a written communications policy.

Failure to Implement Adequate Security Measures

What it looks like

• Missing administrative, physical, or technical safeguards around PHI systems and files.
• No patching cadence, endpoint protection, or vendor due diligence.
• Unsegmented networks where PHI systems share space with general IT assets.

Required remediation

• Map safeguards to the Security Rule’s categories and your risk register: policies, workforce management, facility controls, and technical protections.
• Implement endpoint hardening, patch management, EDR, secure configurations, and network segmentation.
• Adopt Access Control Measures, strong authentication, session timeouts, and automatic logoff.
• Encrypt databases, backups, and removable media using approved Data Encryption Standards.

Proof and prevention

• Maintain configuration baselines, change records, vulnerability scans, and penetration test reports.
• Conduct vendor security reviews and keep BAAs and assessment artifacts on file.

Failure to Report a Data Breach

What it looks like

• Delaying notification to affected individuals after confirmed unauthorized acquisition of PHI.
• Not documenting a breach risk assessment or skipping required notifications to regulators.
• Underestimating incidents involving lost devices, misaddressed mailings, or vendor errors.

Required remediation

• Activate Incident Response Procedures immediately: contain, eradicate, recover, and preserve evidence.
• Conduct a documented four-factor risk assessment and determine if the event is a breach.
• Notify individuals—and, when applicable, regulators and the media—without unreasonable delay per the Breach Notification Rule.
• Record decisions, timelines, and communications; implement corrective actions to prevent recurrence.

Proof and prevention

• Maintain an incident log, investigation paperwork, notification templates, and post-incident reviews.
• Run tabletop exercises that include legal, HR, IT, and vendor coordination.

Lack of Employee Training

What it looks like

• Staff cannot identify PHI or permitted uses, creating over-sharing or improper denials.
• No role-based training for HR, benefits, IT, or customer support teams that handle PHI.
• Training occurs only at hire, with no refreshers or evaluations.

Required remediation

• Develop role-specific curricula covering Privacy, Security, and Breach Notification Rule basics.
• Teach secure handling, Data Encryption Standards, incident spotting, and reporting channels.
• Use short, recurring modules with attestations, quizzes, and targeted follow-ups after incidents.

Proof and prevention

• Track completion dates, scores, and acknowledgments; link training to disciplinary policies.
• Include HIPAA scenarios in onboarding and annual refreshers; update content after audits or rule changes.

In practice, employer HIPAA compliance hinges on a living risk analysis, fit-for-purpose controls, disciplined access governance, secure communications, and rehearsed response. Document what you do, test it regularly, and improve after every audit or incident to keep PHI protected and your program resilient.

FAQs.

What are common examples of employer HIPAA violations?

Frequent issues include snooping in PHI without a need to know, emailing PHI through unsecured channels, improper disposal of records, missing or outdated risk analyses, weak Access Control Measures, unencrypted devices, delayed breach reporting, and inadequate workforce training. Each stems from gaps in policy, technology, or oversight that you can fix with targeted controls and documentation.

How should employers respond to a HIPAA breach?

Activate Incident Response Procedures immediately: contain the issue, preserve logs and evidence, and perform a documented risk assessment to determine if a breach occurred. Notify affected individuals—and when required, regulators—without unreasonable delay under the Breach Notification Rule. Close with corrective actions, leadership review, and updates to policies, training, and technical safeguards.

What training is required for employees under HIPAA?

Provide role-based training that explains what PHI is, permitted uses/disclosures, secure handling, Data Encryption Standards, Access Control Measures, and how to report incidents. Train at hire and on a recurring cadence, measure understanding with quizzes or attestations, and refresh content after technology changes, audits, or security events to ensure HIPAA Security Rule Compliance in daily work.