HIPAA Violation Examples and Red Flags: Compliance Checklist for Organizations

Staying compliant with HIPAA means protecting Protected Health Information (PHI) in every workflow, system, and relationship. This guide highlights common HIPAA violation examples, the red flags that precede them, and a practical compliance checklist you can apply day to day.

Use these sections to tighten Access Control Policies, strengthen Data Encryption Standards, confirm each Business Associate Agreement, and prepare for your next HIPAA Compliance Audit with confidence.

Unauthorized Disclosure of PHI

Unauthorized disclosure occurs when PHI is shared without a valid authorization or permissible purpose. Typical examples include discussing a patient in public areas, sending records to the wrong recipient, snooping in charts out of curiosity, or sharing PHI with a vendor before a Business Associate Agreement is executed.

These incidents often stem from informal communication habits, lack of verification steps, and weak monitoring. They erode trust and can escalate into reportable breaches under the Breach Notification Rule.

Common red flags

• Misdirected emails, faxes, or portal messages containing PHI.
• Workforce members accessing records of friends, celebrities, or co-workers.
• Unsecured conversations about patients in elevators, lobbies, or hallways.
• Use of personal email, texting, or file-sharing apps for PHI.
• Vendors receiving PHI without a signed Business Associate Agreement.

Compliance checklist

• Reinforce minimum necessary standards in your Access Control Policies and training.
• Require recipient verification for PHI disclosures (e.g., call-backs, secure portals).
• Use secure messaging and approved channels only; disable auto-forwarding to personal email.
• Enable access monitoring and alerts for unusual chart access; document sanctions.
• Confirm a Business Associate Agreement is fully executed before sharing PHI with vendors.

Improper Disposal of PHI

Improper disposal exposes PHI when paper or electronic media are discarded without destruction. Examples include intact records in ordinary trash, un-sanitized hard drives, copier drives, or backup media resold or returned to lessors with data intact.

Because disposal often involves third parties, weak chain-of-custody controls and unclear retention schedules create avoidable risk.

Common red flags

• Open recycling bins or unlocked consoles filled with PHI.
• Device returns (laptops, copiers, scanners) without media sanitization.
• Shredding vendors operating without documented procedures or proof of destruction.

Compliance checklist

• Adopt a records retention schedule and destroy upon expiration.
• Provide locked shred consoles; require cross-cut shredding or pulverizing.
• Sanitize or destroy electronic media before transfer, repair, or disposal.
• Obtain certificates of destruction and maintain chain-of-custody logs.
• Execute a Business Associate Agreement with destruction vendors handling PHI.

Insufficient Access Controls

Insufficient access controls allow inappropriate PHI access or use. Weaknesses include shared logins, over-privileged accounts, no multi-factor authentication, and inactive accounts that remain enabled.

Well-defined Access Control Policies should establish unique IDs, role-based permissions, automatic logoff, and regular entitlement reviews—core elements your HIPAA Compliance Audit will expect to see.

Common red flags

• Generic or shared accounts used in clinical or billing systems.
• “All-access” roles granted by default; no least-privilege model.
• Stale accounts for departed workforce members or contractors.
• Remote access without multi-factor authentication or session timeouts.

Compliance checklist

• Implement role-based access with documented approval workflows.
• Require unique user IDs, strong authentication, and automatic logoff.
• Run quarterly access recertification and remove excess privileges promptly.
• Log and review access to PHI; investigate anomalies and document outcomes.
• Harden remote access with multi-factor authentication and network segmentation.

Inadequate Risk Assessments

A thorough, documented Risk Analysis is foundational to HIPAA compliance. It identifies where PHI resides, evaluates threats and vulnerabilities, and prioritizes remediation based on likelihood and impact.

Without periodic reviews, new systems, vendors, and integrations introduce blind spots that undermine safeguards and increase the chance of breaches.

Common red flags

• No current inventory of systems, apps, devices, or data flows containing PHI.
• One-time assessments with no follow-up or remediation tracking.
• No evaluation of third-party and subcontractor risks.
• Absence of testing (e.g., tabletop exercises, technical scans) to validate controls.

Compliance checklist

• Define scope: ePHI and paper PHI, on-premises and cloud, internal and vendor environments.
• Identify threats/vulnerabilities; rate likelihood and impact to prioritize fixes.
• Maintain a risk register with owners, due dates, and status.
• Reassess after major changes and at a regular cadence; feed results into your HIPAA Compliance Audit plan.
• Test controls through technical scanning, configuration reviews, and incident simulations.

Lack of Business Associate Agreements

Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate. If you share PHI without a Business Associate Agreement, you lose contractual assurances on safeguards, breach reporting, and subcontractor oversight.

Common examples include cloud storage, billing and collections, telemedicine platforms, transcription, analytics, and shredding vendors.

Common red flags

• PHI shared during sales, pilots, or support sessions before signing a BAA.
• Vendors using subcontractors that touch PHI without flow-down obligations.
• BAAs stored ad hoc with no inventory, renewal dates, or monitoring.

Compliance checklist

• Identify all vendors that may access PHI; categorize by data sensitivity and function.
• Execute a Business Associate Agreement that defines permitted uses, safeguards, and breach notification duties.
• Require BAAs with subcontractors; verify controls through due diligence and questionnaires.
• Centralize BAA tracking with owners, expirations, and review cycles.
• Limit vendor access to the minimum necessary and monitor with logs or dashboards.

Unencrypted Storage of PHI

Storing PHI without encryption exposes data if a device is lost, stolen, or compromised. While specific implementations can be “addressable,” strong encryption remains a best practice and a key pillar of modern Data Encryption Standards.

Focus on encryption at rest for servers, endpoints, mobile devices, and backups, and encryption in transit for all network communications.

Common red flags

• Laptops, tablets, and USB drives that store PHI without full-disk encryption.
• Cloud buckets, file shares, or backups misconfigured for public access.
• Exported EHR spreadsheets containing PHI stored on local desktops.
• Encryption keys stored alongside the data they protect.

Compliance checklist

• Adopt organization-wide Data Encryption Standards for data at rest and in transit.
• Use mobile device management to enforce encryption and remote wipe.
• Harden key management: separate keys from data, rotate, and restrict access.
• Secure backups (including offsite media) and test restores for integrity.
• If encryption is not implemented for a use case, document the rationale and compensating controls.

Failure to Notify Patients of Breaches

When an incident meets the definition of a breach, the Breach Notification Rule requires notifying affected individuals and, in some cases, regulators and the media. Delays increase harm, complicate response, and heighten enforcement risk.

Effective notification depends on timely detection, sound investigation, accurate contact information, and well-rehearsed communication plans.

Common red flags

• No incident response plan or unclear breach decision-making criteria.
• Delayed discovery due to limited logging or monitoring gaps.
• Outdated patient contact information or incomplete mailing lists.
• Public statements issued before patients are notified.

Compliance checklist

• Establish an incident response plan with defined roles, escalation paths, and legal review.
• Use a structured breach risk assessment process to determine notification obligations.
• Prepare notification templates and a distribution plan for letters, portals, and call centers.
• Track timelines and evidence; retain documentation for your HIPAA Compliance Audit.
• Conduct post-incident reviews to improve controls and reduce recurrence.

Summary and action steps

Preventing HIPAA violations requires consistent execution: educate your workforce, enforce Access Control Policies, complete a rigorous Risk Analysis, encrypt wherever feasible, and ensure every vendor has a Business Associate Agreement. Validate progress through periodic testing and a HIPAA Compliance Audit to keep safeguards aligned with evolving risks.

FAQs.

What actions constitute a HIPAA violation?

Common violations include impermissible uses or disclosures of PHI, snooping in records without a job-related need, sharing PHI via unapproved channels, failing to execute a Business Associate Agreement before a vendor handles PHI, inadequate Access Control Policies leading to inappropriate access, improper disposal of records, unencrypted storage that increases exposure risk, and failing to follow the Breach Notification Rule after a qualifying incident.

How can organizations prevent unauthorized disclosure of PHI?

Train staff on minimum necessary standards, restrict access based on roles, require secure messaging and approved portals for transmission, verify recipients before sending PHI, monitor access logs for anomalies, and ensure each vendor has a signed Business Associate Agreement with clear safeguards and breach reporting duties.

What are the consequences of failing to notify patients after a breach?

Failure to follow the Breach Notification Rule can lead to regulatory enforcement, monetary penalties, corrective action plans, increased oversight, and reputational damage. It also prolongs harm to affected individuals and undermines trust with patients, providers, and partners.

How often should risk assessments be conducted for HIPAA compliance?

Conduct a comprehensive Risk Analysis at least annually and whenever significant changes occur—such as new systems, mergers, major upgrades, or onboarding vendors that handle PHI. Update the risk register, track remediation to completion, and use results to inform your next HIPAA Compliance Audit.