HIPAA Violations Care Coordinators Should Know About: Common Examples and How to Avoid Them

Unauthorized Access to Patient Records

Unauthorized access includes viewing, searching, or downloading patient files without a job-related reason. It violates Patient Record Access Compliance and often happens out of curiosity, convenience, or habit—especially when roles or systems are not tightly controlled.

Common Examples

• “Snooping” on a friend, neighbor, coworker, or public figure’s chart.
• Opening records for patients not assigned to you or outside your care team.
• Sharing credentials or failing to log out, allowing others to access records under your name.
• Using “break-glass” emergency access without a legitimate, documented need.

How to Avoid

• Apply role-based access and the Minimum Necessary Standard so you only see what you need to do your job.
• Use unique logins with multi-factor authentication; never share passwords or devices.
• Lock screens and log out when stepping away, even briefly.
• Require documented justification for emergency access and review each use.

Monitoring and Accountability

• Enable audit logs that flag unusual lookups, mass downloads, or after-hours activity.
• Conduct regular spot-checks and coach staff promptly when patterns appear.
• Reinforce that Protected Health Information (PHI) access is traceable to individuals.

Impermissible Uses and Disclosures of PHI

PHI may only be used or shared for treatment, payment, and operations—or with valid patient authorization. Impermissible disclosures often stem from convenience, assumptions about consent, or using non-approved communication tools.

Common Examples

• Discussing patient details in public areas, elevators, or on speakerphone.
• Texting PHI over personal messaging apps or emailing PHI to personal accounts.
• Posting anecdotes on social media that could identify a patient.
• Sharing PHI with community partners or vendors without Business Associate Agreements.
• Sending full patient lists to external parties instead of meeting the Minimum Necessary Standard.

How to Avoid

• Verify identity before sharing any information and confirm the recipient’s role-based need.
• Use approved, secure channels for PHI; avoid personal email, texting, or unsanctioned apps.
• Obtain and document valid authorizations when required; de-identify data whenever possible.
• Execute and maintain Business Associate Agreements with any vendor that touches PHI.

Failure to Perform Risk Analysis

A documented risk analysis—and ongoing Risk Assessment—identifies where PHI is created, stored, transmitted, and at risk. Skipping or delaying this work leaves blind spots in workflows, technology, and vendor relationships.

What Effective Risk Analysis Looks Like

• Inventory systems, devices, apps, and data flows that handle PHI and electronic PHI (ePHI).
• Evaluate threats and vulnerabilities, then rate likelihood and impact.
• Define safeguards, timelines, and owners for mitigation tasks.
• Reassess after major changes, incidents, or at scheduled intervals.

How to Avoid this Violation

• Establish an annual cycle with interim reviews when processes or systems change.
• Include third-party risks, mobile devices, remote work, and shadow IT in scope.
• Track remediation to completion and verify that controls work as intended.
• Train care coordinators on their role in identifying and reporting new risks.

Inadequate ePHI Access Control

Weak access control undermines Electronic PHI Security and makes unauthorized viewing, alteration, or exfiltration more likely. Common gaps include shared accounts, poor password practices, and inactive session timeouts.

Gaps to Watch

• Generic or shared user IDs that obscure accountability.
• Missing multi-factor authentication on portals, VPNs, or EHRs.
• Stale access for former staff or role changes not promptly updated.
• Unlocked workstations and long session timeouts in shared spaces.

How to Avoid

• Enforce unique IDs, strong passwords, and multi-factor authentication.
• Set automatic logoff and short lock times on shared or clinical workstations.
• Align permissions with least privilege and review access when roles change.
• Enable audit trails and alerts for anomalous access behaviors.

Mishandling of Data

Mishandling occurs when PHI leaves approved systems or is shared beyond the Minimum Necessary Standard. It includes risky exports, unencrypted storage, and misdirected communications that increase likelihood of a breach.

Risky Scenarios

• Exporting patient lists to spreadsheets and emailing them outside the organization.
• Saving PHI to personal cloud accounts, USB drives, or local device folders.
• Printing schedules or rosters and leaving them in cars, conference rooms, or printers.
• Attaching the wrong file or choosing the wrong recipient in email or fax.

How to Avoid

• Use approved tools with encryption and access controls for outreach, referrals, and coordination.
• Turn on data loss prevention, recipient confirmation, and attachment scanning where available.
• De-identify or aggregate data when full PHI is not required.
• Provide practical training with real examples of high-risk workflows.

Improper Disposal of PHI

Improper disposal exposes PHI long after care is delivered. You must securely dispose of paper and electronic media and oversee any vendors involved in destruction.

Paper Records

• Place discards in locked shred bins; never in regular trash or recycling.
• Use cross-cut shredding or certified destruction services with chain-of-custody.
• Maintain disposal logs and retain certificates of destruction when using vendors.

Electronic Media

• Sanitize or destroy drives, phones, and removable media before reuse or disposal.
• Document wipe methods and verification steps; keep records for audits.
• Ensure vendors handling media have current Business Associate Agreements.

Lost or Stolen Devices

Unsecured laptops, smartphones, tablets, or thumb drives with ePHI create significant risk. Even contact lists, messages, or notes may contain PHI that triggers HIPAA Breach Notification obligations if compromised.

Prevention Controls

• Require full-disk encryption, strong passcodes, and biometric locks on all devices with ePHI.
• Use mobile device management for remote lock/wipe, patching, and policy enforcement.
• Prohibit local storage when possible; prefer secure apps with server-side encryption.
• Train staff to keep devices physically secure and never leave them unattended in vehicles.

Immediate Response

• Report loss or theft right away so security can attempt locate, lock, or wipe.
• Document what data was on the device and whether encryption was active.
• Begin a risk evaluation to determine if HIPAA Breach Notification is required.
• Preserve logs, update mitigation steps, and reinforce training after the incident.

Conclusion

Most HIPAA violations in care coordination are preventable with clear roles, secure tools, and disciplined workflows. Anchor daily decisions to the Minimum Necessary Standard, maintain strong Electronic PHI Security, and document Risk Assessment and remediation. When incidents occur, act quickly, evaluate impact, and fulfill HIPAA Breach Notification duties.

FAQs

What are common HIPAA violations by care coordinators?

Typical issues include unauthorized chart access, discussing PHI in public spaces, using personal email or messaging apps for PHI, sending full patient lists instead of the minimum necessary, lacking Business Associate Agreements for vendors, improper disposal of records, and failing to report or respond promptly to lost or stolen devices.

How can care coordinators prevent unauthorized access to PHI?

Use role-based access and the Minimum Necessary Standard, authenticate with unique IDs and multi-factor authentication, lock screens and log out when away, avoid credential sharing, and monitor audit logs. Provide targeted training and escalate unusual access patterns immediately.

What steps are required for HIPAA-compliant disposal of patient records?

For paper, use locked shred bins and cross-cut shredding with chain-of-custody and certificates of destruction. For electronic media, sanitize or physically destroy drives and devices, document the method and verification, and ensure any destruction vendor has valid Business Associate Agreements.

How should lost or stolen devices containing ePHI be handled?

Report the incident immediately, attempt remote lock/wipe, document what data was exposed and whether encryption was active, and perform a risk evaluation to determine if HIPAA Breach Notification applies. Preserve logs, implement corrective actions, and reinforce staff training.