HIPAA Privacy Rule Compliance: The 5 Violations We See Most

Across compliance assessments, the same pitfalls derail HIPAA Privacy Rule compliance. Knowing why these issues occur—and how to prevent them—helps you safeguard Protected Health Information (PHI) and avoid costly investigations.

This guide breaks down the five violations we encounter most and the controls that stop them before they escalate into Data Breach Notification obligations or corrective action plans.

Unauthorized Access to PHI

Unauthorized access occurs when PHI is viewed, used, or disclosed beyond the minimum necessary. It commonly stems from insider snooping, overly broad permissions, shared accounts, or compromised credentials.

Common causes

• Shared or generic logins and stale accounts left active after role changes or departures.
• Over-permissive EHR roles that exceed the minimum necessary for job duties.
• Weak authentication, no MFA, or insecure remote access to systems holding PHI.
• Lack of monitoring for VIP/patient-of-interest snooping and unusual query patterns.
• Unattended workstations, auto-forwarded emails, and misdirected messages.

Prevention and proof

• Implement role-based access control, unique user IDs, and multifactor authentication.
• Provision and deprovision promptly; run quarterly access reviews with manager attestation.
• Enable comprehensive audit logging; alert on high-risk behaviors and VIP lookups.
• Train staff on the minimum necessary standard and enforce a sanctions policy.
• Encrypt endpoints and email; apply DLP to block unauthorized export of PHI.

If it happens

When impermissible access occurs, complete a documented risk assessment and follow Breach Notification procedures as required, including notifying affected individuals and HHS when necessary.

Failure to Perform Risk Analysis

Organizations often skip or narrow the scope of the HIPAA Risk Analysis Requirement. A proper assessment is enterprise-wide and covers confidentiality, integrity, and availability risks to ePHI across people, processes, and technology.

What good looks like

• Define scope to include all systems and workflows that create, receive, maintain, or transmit ePHI; maintain a current data and asset inventory.
• Identify threats and vulnerabilities, evaluate likelihood and impact, and calculate residual risk after existing controls.
• Document results in a risk register with owners, timelines, and budgeted remediation.
• Update at least annually and whenever you adopt new systems, vendors, or workflows.
• Review with leadership and tie remediation to capital and operating plans.

Common pitfalls

• Treating risk analysis as an IT-only task and missing operational and vendor risks.
• Producing a static report with no risk treatment plan, metrics, or follow-through.
• Excluding paper workflows, mobile devices, shadow IT, or imaging/copier systems.

Improper Disposal of PHI

Throwing PHI into regular trash, recycling, or reselling devices without sanitization leads to exposure. Both paper and electronic media require controlled destruction from start to finish.

Risk scenarios

• Labels, schedules, or intake forms discarded in open bins.
• Unshredded documents awaiting pickup without supervision or chain of custody.
• Copier/printer hard drives, laptops, or phones returned or sold without sanitization.
• USB drives and external disks disposed of without wiping or destruction.
• Personal devices with cached ePHI not wiped during offboarding.

Controls that work

• Adopt approved methods (cross-cut shredding, pulping, pulverizing) and locked shred consoles.
• Use witnessed, scheduled pickups with documented chain of custody and destruction certificates.
• Sanitize or destroy electronic media following industry-standard guidance (e.g., NIST 800-88).
• Keep a device inventory; record serial numbers and destruction dates for auditability.
• Embed disposal requirements in contracts and BAAs with destruction vendors; train staff and conduct spot checks.

Denying Patient Access to Records

The Privacy Rule protects Patient Rights to Access their health information. Delays, unreasonable identity checks, or excessive fees are frequent violations that draw complaints and enforcement.

Where organizations go wrong

• Missing the 30-day fulfillment window or failing to issue a timely extension notice.
• Requiring notarization, in-person pickup, or proprietary portal use when not necessary.
• Declining to provide electronic copies in the requested format when readily producible.
• Charging fees that exceed reasonable, cost-based limits, especially for ePHI.

How to comply

• Offer simple request methods (portal, mail, email) and clear instructions.
• Verify identity reasonably without creating barriers to access.
• Track requests and deadlines; fulfill within 30 days or provide a documented 30-day extension.
• Provide records in the requested electronic format when feasible; otherwise agree on an alternative.
• Apply reasonable, cost-based fees and communicate estimates upfront; avoid per-page fees for electronic copies.

Lack of Business Associate Agreements

Any vendor that creates, receives, maintains, or transmits PHI for you is a business associate. You must execute a Business Associate Agreement (BAA) before sharing PHI.

Common gaps

• Using cloud tools, billing services, or call centers without a signed BAA.
• Overlooking contractors, consultants, or temporary staff who handle PHI.
• Failing to flow down obligations to subcontractors engaged by the vendor.
• BAAs that omit security, breach reporting, or termination assistance obligations.

A reliable BAA process

• Maintain a vendor inventory with PHI data flows and risk tiering.
• Standardize BAA terms: permitted uses, safeguards, subcontractor flow-down, reporting timelines, Data Breach Notification responsibilities, and return/destruction of PHI.
• Embed BAA checkpoints in procurement, onboarding, and offboarding; block PHI sharing until execution.
• Review BAAs when services change; monitor vendor performance and obtain ongoing assurances.

Focus on tightening access controls, executing the Risk Analysis Requirement, securing disposal, honoring timely access requests, and enforcing BAAs. These practices materially improve HIPAA Privacy Rule compliance and reduce breach risk.

FAQs.

What are the most common HIPAA Privacy Rule violations?

The violations we see most are unauthorized access to PHI, failure to perform an enterprise-wide risk analysis, improper disposal of PHI, denying or delaying patient access to records, and lacking required BAAs with vendors that handle PHI.

How is unauthorized access to PHI detected?

Detection relies on robust audit logs across EHRs and supporting systems, near–real-time alerts for high-risk events (e.g., VIP lookups, bulk exports), user-behavior analytics, and periodic access reviews. Patient reports and hotline tips also surface snooping that automated tools miss.

What are the consequences of failing to perform a risk analysis?

Expect heightened breach risk and potential OCR enforcement, including corrective action plans, civil monetary penalties, mandated training, and multi-year oversight. Operationally, gaps persist because risks are unidentified, leading to repeated incidents and higher remediation costs.

How can organizations ensure compliance with HIPAA regarding business associate agreements?

Inventory vendors, classify PHI flows, and require a signed BAA before any PHI exchange. Use a standard BAA that defines permitted uses, safeguards, subcontractor flow-down, and breach reporting timelines. Train procurement, gate PHI access on BAA execution, and re-evaluate BAAs when services or risks change.