HIPAA Violations Patient Advocates Should Know About: Common Examples and How to Report Them

As a patient advocate, you play a crucial role in protecting privacy and trust. This guide walks you through common HIPAA violations, how to spot them, and practical steps to report concerns. You will see how rules apply to Protected Health Information (PHI) and Electronic Protected Health Information (ePHI), and where Business Associate Agreements (BAAs) and HIPAA Breach Notification requirements fit in.

Use these sections to recognize risks quickly, document what you observe, and escalate issues through the right channels. Clear, confident action helps patients, clinicians, and organizations prevent harm and correct problems before they grow.

Unauthorized Access to PHI

Why it matters

Accessing PHI without a valid treatment, payment, or operations purpose erodes confidentiality and trust. Unauthorized access includes snooping in records, sharing logins, or viewing charts “out of curiosity,” whether the data is on paper or within ePHI systems.

Red flags to watch

• Staff viewing records of friends, family, or public figures without involvement in care.
• Shared or generic user accounts with no individual accountability.
• Printed charts or intake forms left where others can see them.

What you can do

• Document who, what, when, and where you observed potential access issues.
• Report concerns to the organization’s privacy or compliance officer promptly.
• Encourage use of unique logins and audit logs that track PHI access.

Failure to Perform Risk Analysis

Why it matters

The HIPAA Security Rule expects a regular, thorough risk analysis covering ePHI. Without it, organizations miss vulnerabilities in systems, workflows, and vendors—undermining Administrative Safeguards meant to guide policy and oversight.

Red flags to watch

• No current, written inventory of systems that create, receive, maintain, or transmit ePHI.
• Unclear ownership for risk management tasks or outdated risk findings.
• Lack of documented remediation plans or follow-up on identified gaps.

What you can do

• Ask whether a documented risk analysis exists and when it was last updated.
• Verify that high-risk findings have corrective actions with deadlines and owners.
• Escalate gaps that could expose patients to breach or identity theft.

Inadequate Security Measures

Why it matters

Technical Safeguards protect ePHI from unauthorized access or alteration. Weak controls—such as missing encryption, single-factor logins, or disabled audit trails—raise the likelihood of breaches and hinder investigation.

Red flags to watch

• Unencrypted laptops, smartphones, or portable drives used with patient data.
• Shared passwords, weak authentication, or no timeout/lock settings.
• Disabled or ignored access logs, especially in EHRs and billing systems.

What you can do

• Confirm device and data encryption, especially for mobile and remote work.
• Promote multi-factor authentication and regular review of access rights.
• Encourage routine log monitoring to spot unusual access patterns.

Denial of Patient Access

Why it matters

Patients have a HIPAA right to access their PHI. Unreasonable delays, excessive fees, or incomplete responses can be violations and damage trust during critical moments of care or appeals.

Red flags to watch

• Repeated delays or requests lost without clear timelines or updates.
• Charging more than cost-based fees for copies or portal downloads.
• Refusing to provide records in the requested readable format when feasible.

What you can do

• Track request dates, formats, and follow-ups to show patterns of delay.
• Escalate to the privacy officer if fees seem excessive or formats are ignored.
• Encourage secure patient portals and clear workflows for timely fulfillment.

Missing Business Associate Agreements

Why it matters

Vendors that handle PHI on behalf of a provider or plan must have Business Associate Agreements. Without BAAs, responsibilities for privacy, security, and breach response are unclear, exposing patients to avoidable risk.

Red flags to watch

• Cloud providers, billing firms, or consultants accessing PHI without a signed BAA.
• Outdated BAAs that omit incident reporting or data return/destruction terms.
• New tools or apps implemented before contract and security review.

What you can do

• Request confirmation that a current BAA exists for each vendor touching PHI.
• Verify breach notification and termination clauses align with HIPAA expectations.
• Flag any shadow IT or pilot tools using PHI without contractual safeguards.

Impermissible Disclosures of PHI

Why it matters

Sharing PHI without authorization or beyond the minimum necessary violates patient privacy. Common issues include casual hallway conversations, unsecured emails, or social media posts that can identify individuals.

Red flags to watch

• Discussing cases in public spaces where others can overhear.
• Emailing or texting PHI without secure channels or proper recipient checks.
• Posting details online that could re-identify a patient.

What you can do

• Promote “minimum necessary” use and secure messaging for PHI.
• Encourage de-identification when discussing cases for education or outreach.
• Report patterns of casual disclosures that repeat despite feedback.

Failure to Notify of Breaches

Why it matters

When PHI is compromised, timely notification allows individuals to protect themselves and helps organizations meet HIPAA Breach Notification requirements. Delays or silence compound harm and legal exposure.

Red flags to watch

• Known incidents that are not investigated or risk-assessed.
• No clear plan for notifying affected individuals or supervising agencies.
• Inconsistent documentation of breach decisions and communications.

What you can do

• Confirm there is a documented breach response plan with defined roles.
• Encourage prompt risk assessments and consistent notification practices.
• Elevate concerns when leadership downplays or ignores likely breaches.

Inadequate Training and Awareness

Why it matters

Policies only work when people understand them. Without ongoing training, staff may mishandle PHI, miss phishing attempts, or skip required procedures—undermining all safeguards.

Red flags to watch

• No documented onboarding or periodic HIPAA refreshers.
• High click rates on phishing simulations without remediation.
• Unclear sanction policies for repeated violations.

What you can do

• Encourage role-based training tied to real workflows and systems.
• Promote simulations, tabletop exercises, and quick-reference guides.
• Advocate for leadership messaging that prioritizes privacy and security.

Improper Disposal of PHI

Why it matters

Discarded PHI can be a goldmine for identity thieves. Both paper and electronic media require secure destruction to uphold Physical Safeguards and prevent unauthorized use.

Red flags to watch

• Unsecured recycling bins containing patient labels, summaries, or imaging.
• Returned or resold devices without verified data wiping.
• Storage media tossed in regular trash instead of locked shred bins.

What you can do

• Ensure shredding, pulping, or approved destruction for paper PHI.
• Verify device sanitization before reuse, return, or disposal.
• Spot-check disposal points and raise issues immediately.

Failure to Implement Safeguards

Why it matters

HIPAA expects a balanced program of Administrative, Technical, and Physical Safeguards. Missing policies, absent audits, or weak facility controls create systemic risk that no single fix can solve.

Red flags to watch

• No written policies for access, incident response, or device management.
• Poor facility controls—unlocked server rooms or unattended workstations.
• Gaps between policy and practice, such as bypassed procedures.

What you can do

• Ask for evidence: policies, training logs, access reviews, and test results.
• Encourage a governance rhythm—risk reviews, audits, and leadership check-ins.
• Promote a culture where staff report concerns without fear of retaliation.

Key takeaways for patient advocates

Protecting PHI and ePHI requires vigilance and action. Recognize common pitfalls, document specifics, and escalate through privacy or compliance channels. When a breach is likely, push for timely steps under the HIPAA Breach Notification Rule. Your persistence helps organizations close gaps and keeps patient trust at the center of care.

FAQs

What constitutes a HIPAA violation by a patient advocate?

It depends on the advocate’s role. If you work for or on behalf of a covered entity or business associate and handle PHI, accessing, using, or disclosing it improperly can be a HIPAA violation. Even if you are independent, you can cause a violation by pressuring staff to reveal more than the minimum necessary or by sharing identifiable details you obtained through covered workflows.

How can patient advocates report HIPAA violations?

Document what you observed with dates, times, systems, and people involved. Report promptly to the organization’s privacy or compliance officer, or use its hotline. If issues persist or are serious, you may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights. Keep patient safety and confidentiality foremost throughout the process.

What are the consequences of not reporting a HIPAA breach?

Unreported breaches can lead to harm such as identity theft, loss of trust, and care disruptions. Organizations may face investigations, penalties, and corrective action plans. Delays also allow weaknesses to persist, increasing the chance of repeat incidents and broader exposure.

How do HIPAA safeguards protect patient information?

Administrative Safeguards set policies, training, and oversight. Technical Safeguards secure ePHI with controls like authentication, encryption, and auditing. Physical Safeguards protect facilities and devices. Together, these layers reduce the likelihood and impact of unauthorized access, impermissible disclosures, and breaches.