HIPAA Violation Examples Checklist: Spot Issues, Remediate Quickly, Prevent Recurrence

This HIPAA Violation Examples Checklist helps you spot issues fast, execute targeted remediation, and put durable controls in place so problems do not recur. Use it to evaluate policies, technology, and everyday workflows that touch Protected Health Information (PHI) and electronic Protected Health Information (ePHI).

Each section explains what a violation looks like, how to contain and correct it quickly, and how to prevent recurrence—while naturally aligning with access controls, risk assessment protocols, data encryption standards, breach notification requirements, PHI disposal methods, and your Business Associate Agreement (BAA) obligations.

Unauthorized Access to PHI

What it looks like

• Workforce “snooping” in records they do not need to do their jobs.
• Shared or generic logins that obscure accountability for ePHI access.
• Former employees or contractors retaining active credentials.
• Overly broad access controls granting full chart access to non-clinical roles.
• Unmonitored remote access from unmanaged or personal devices.

How to remediate quickly

• Immediately disable or suspend suspect accounts; revoke shared credentials.
• Run audit logs to determine scope, dates, and individuals affected.
• Quarantine compromised endpoints and force password resets with MFA.
• Notify privacy/security leadership; document actions and decisions.
• Apply sanctions per policy and begin individual risk assessment for potential breach.

Prevent recurrence

• Implement least-privilege, role-based access controls with documented approvals.
• Require multi-factor authentication for all ePHI systems and remote access.
• Automate provisioning/deprovisioning tied to HR events to close access on termination.
• Enable immutable audit logs and review them routinely; alert on anomalous patterns.
• Deliver task-based training on appropriate use and consequences of misuse.

Checklist

• Unique user IDs; no shared accounts.
• MFA enforced on VPN, EHR, and cloud apps.
• Quarterly access reviews by data owner.
• Automated offboarding closes accounts same day.
• Continuous audit logging with alerting on mass lookups or VIP records.

Inadequate Risk Analysis

What it looks like

• No current, documented enterprise risk analysis covering administrative, physical, and technical safeguards.
• Missing asset inventory for systems and devices that store or process ePHI.
• No data-flow mapping for intake, use, storage, sharing, and disposal of PHI.
• Untracked third-party exposure where vendors access PHI without assessment.

How to remediate quickly

• Stand up a rapid risk assessment using standardized risk assessment protocols.
• Identify “crown jewels” (EHR, billing, imaging, backups) and top threats.
• Document a prioritized risk register with owners, due dates, and mitigations.
• Address high-risk items immediately (e.g., open ports, missing encryption, weak access controls).

Prevent recurrence

• Adopt a repeatable methodology; update at least annually and after major changes.
• Maintain a living asset inventory and PHI data-flow diagrams.
• Integrate vendor risk reviews into procurement and BAA onboarding.
• Track risk treatment plans to completion; verify effectiveness of controls.

Checklist

• Formal, dated enterprise risk analysis on file.
• Comprehensive asset inventory and PHI data flows documented.
• Prioritized risk register with accountable owners.
• Schedule for reassessment and trigger events defined.

Insufficient Security Measures

What it looks like

• Devices with ePHI lack full-disk encryption or mobile device management.
• Unpatched servers/workstations; unsupported operating systems in production.
• No tested backups or disaster recovery for critical systems.
• Flat networks without segmentation; minimal logging and monitoring.

How to remediate quickly

• Encrypt laptops and portable media immediately; enroll endpoints in MDM/EDR.
• Patch critical vulnerabilities; disable legacy/insecure protocols.
• Enable TLS for data in transit; enforce data encryption standards for storage.
• Harden backups, isolate from the domain, and test restores.
• Implement minimum logging for access, admin changes, and data exfiltration events.

Prevent recurrence

• Publish baseline secure configuration standards and verify via automated scans.
• Segment networks to isolate clinical systems and limit east–west movement.
• Apply least-privilege administration and just-in-time access.
• Deploy data loss prevention for email and cloud to monitor PHI movement.

Checklist

• Encryption at rest and in transit meets adopted data encryption standards.
• Patch cadence defined; critical patches within set SLAs.
• Backups isolated, encrypted, and tested.
• Security monitoring with alert triage and response runbooks.

Non-Compliant Business Associate Agreements

What it looks like

• Vendors creating, receiving, maintaining, or transmitting PHI lack a signed Business Associate Agreement (BAA).
• BAAs missing required terms (permitted uses, safeguards, breach reporting, subcontractor flow-down, termination/return or destruction of PHI).
• No due diligence to confirm vendors can meet security obligations for ePHI.

How to remediate quickly

• Inventory all vendors; flag any handling PHI or ePHI.
• Execute or amend BAAs; suspend PHI sharing until compliant.
• Validate each vendor’s safeguards and incident response capabilities.

Prevent recurrence

• Adopt a standard BAA template and mandate it in procurement.
• Require subcontractor compliance and advance notice of any changes.
• Track BAA renewals/expirations; assign an owner for each vendor.

Checklist

• Complete vendor inventory mapped to PHI data flows.
• Signed, current BAAs with required provisions for all applicable vendors.
• Vendor security due diligence documented prior to PHI exchange.

Improper Disposal of PHI

What it looks like

• Papers with PHI discarded in regular trash or recycle bins.
• Hard drives, USBs, or copier drives not sanitized before disposal or reuse.
• Untracked media disposal without chain of custody or certificates.

How to remediate quickly

• Secure all pending disposals; restrict access to storage areas.
• Use approved PHI disposal methods: cross-cut shredding, pulverizing, incineration for paper; wiping, degaussing, or physical destruction for media.
• Document a chain of custody; obtain certificates of destruction.

Prevent recurrence

• Publish clear media sanitization procedures and staff training.
• Provide locked shred bins in all areas where PHI is used.
• Vet disposal vendors and periodically audit their processes.

Checklist

• Written PHI disposal policy aligned to approved PHI disposal methods.
• Secure bins and media cages; limited access.
• Destruction logs with dates, quantities, and witness signatures.

Unencrypted Communication of PHI

What it looks like

• Sending PHI over open email, SMS, consumer messaging apps, or fax without safeguards.
• Misdirected emails to the wrong patient or provider.
• Telehealth sessions or patient portals not enforcing encryption in transit.

How to remediate quickly

• Cease unencrypted channels; move to secure messaging/portal immediately.
• Evaluate whether an impermissible disclosure occurred; begin risk assessment.
• Reconfigure email to enforce TLS; quarantine messages lacking negotiated encryption.
• Notify recipients to delete misdirected messages when appropriate and document the request.

Prevent recurrence

• Adopt organization-wide data encryption standards for email, portals, APIs, and backups.
• Deploy email DLP to detect PHI and require secure channels.
• Manage BYOD with MDM, containerization, and remote wipe for ePHI apps.

Checklist

• Mandatory encryption for PHI in transit and at rest.
• Secure patient portal or secure email for external communications.
• DLP rules and user prompts for sensitive data.

Failure to Notify Breaches Promptly

What it looks like

• Delays in notifying affected individuals after discovering a breach of unsecured PHI.
• Unclear ownership of breach response tasks and timelines.
• Incomplete documentation supporting decisions and notifications.

How to remediate quickly

• Activate your incident response plan; contain and investigate to determine scope.
• Apply the four-factor risk assessment to decide if notification is required.
• Prepare clear, plain-language notices; coordinate leadership and legal review.
• Track deadlines against breach notification requirements and applicable state laws.

Prevent recurrence

• Define roles, templates, and escalation paths in a written breach response plan.
• Run tabletop exercises to practice decision-making and timing.
• Maintain a breach log and post-incident reviews to strengthen controls.

Checklist

• Documented procedures align with breach notification requirements (e.g., notify individuals without unreasonable delay and no later than 60 calendar days where required).
• Ownership of regulatory reporting, media notices (if applicable), and recordkeeping assigned.
• Post-incident action items tracked to closure.

Conclusion

Use this HIPAA Violation Examples Checklist to rapidly spot issues, close gaps, and harden processes so incidents become rare and low impact. Tie every fix to durable safeguards—access controls, encryption, risk assessment protocols, PHI disposal methods, and strong BAAs—to protect PHI and sustain compliance.

FAQs.

What are common examples of HIPAA violations?

Frequent issues include snooping in patient charts, sharing credentials, missing or weak access controls, unencrypted email containing PHI, lost or stolen unencrypted devices, improper disposal of records, using vendors without a compliant Business Associate Agreement (BAA), and delaying notifications after a confirmed breach.

How can unauthorized access to PHI be prevented?

Enforce least-privilege, role-based access controls, require multi-factor authentication, conduct regular access reviews, train staff on appropriate use, and continuously monitor audit logs for anomalies. Automate account provisioning and rapid deprovisioning tied to HR events to close access quickly.

What are the consequences of failing to notify a breach?

Organizations face regulatory penalties, corrective action plans, and significant reputational damage. Delayed notifications can increase patient harm and legal exposure. A tested incident response program aligned to breach notification requirements reduces risk and ensures timely, accurate communications.

How should PHI be properly disposed of?

For paper, use secure shredding, pulverizing, or incineration. For electronic media, apply approved PHI disposal methods such as secure wiping, degaussing, or physical destruction. Maintain chain-of-custody records and obtain certificates of destruction from any disposal vendors.