Most Common HIPAA Violations Checklist for Organizations and Covered Entities

HIPAA compliance hinges on consistent execution of everyday practices. The most common violations stem from routine gaps: rushed workflows, unclear ownership, and weak vendor oversight. Use this checklist to tighten controls, reduce risk, and demonstrate due diligence across your program.

The sections below focus on high-impact areas—Protected Health Information disclosure, Risk Analysis Requirements, Administrative Safeguards, patient access, Business Associate Agreements Compliance, PHI Disposal Procedures, and Encryption Standards for ePHI—so you can prioritize the fixes that matter most.

Unauthorized Disclosure of PHI

Unauthorized disclosure happens when Protected Health Information is shared without a valid authorization or permissible purpose. Common causes include misdirected emails or faxes, casual hallway conversations, snooping in records, overbroad disclosures, and sending PHI through unsecured channels.

Checklist to prevent unauthorized Protected Health Information Disclosure

• Apply the minimum necessary standard and role-based access so users only see what they need.
• Verify recipient identity before releasing PHI; use test faxes/emails for new contacts.
• Send PHI via secure channels (portal, S/MIME, TLS, or secure file transfer), never personal email.
• Use data loss prevention and auto-disclaimers to flag or block outbound PHI.
• Train your workforce on verbal disclosures and social media risks; reinforce sanctions for snooping.
• Enable audit logs and review access to detect unusual queries or bulk exports.
• Limit PHI shared with vendors to the minimum necessary and only after a signed BAA.

If a disclosure occurs: follow Data Breach Notification Rules

• Perform a documented risk assessment to determine if the incident is a reportable breach.
• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• If the breach involves 500 or more residents of a state/jurisdiction, provide media notice and report to HHS within 60 days.
• For breaches affecting fewer than 500 individuals, report to HHS no later than 60 days after the end of the calendar year.
• Require business associates to notify you of their incidents promptly, consistent with your contract.

Failure to Perform Risk Analysis

A one-time checklist is not enough. The Security Rule requires an ongoing, enterprise-wide assessment of how you create, receive, maintain, and transmit ePHI, and how threats could exploit vulnerabilities. Skipping or under-scoping this work leaves blind spots that drive most enforcement actions.

Checklist: Meet Risk Analysis Requirements

• Inventory systems, data flows, third parties, and devices that store or move ePHI.
• Identify threats and vulnerabilities for each asset (loss/theft, ransomware, misconfigurations, insider risk).
• Rate likelihood and impact, then document risk levels and assumptions.
• Create a risk management plan with owners, milestones, and budget.
• Reassess at least annually and whenever you introduce major changes (EHR upgrades, new vendors, cloud moves).
• Test controls (backups, MFA, logging) and validate they work as intended.
• Include third-party risk: review BAAs, security questionnaires, and independent attestations where available.
• Maintain evidence—reports, meeting notes, remediation tickets, and approvals—to demonstrate due diligence.

Insufficient Safeguards for PHI

Gaps across administrative, physical, and technical safeguards often compound into incidents. Align daily operations with written policies, and verify that your controls actually function in production, not just on paper.

Checklist: Administrative Safeguards

• Appoint privacy and security officers with clear authority and resources.
• Publish policies for access, authentication, remote work, incident response, and vendor oversight.
• Train all workforce members on HIPAA basics and job-specific procedures; track completion.
• Apply workforce clearance and termination procedures; promptly remove access on departure.
• Run a sanctions process for violations and document corrective actions.
• Develop contingency plans: backup, disaster recovery, and emergency operations; test at least annually.
• Conduct periodic evaluations to confirm your program adapts to changes.

Checklist: Physical and Technical Safeguards

• Control facility and workstation access; prevent shoulder-surfing and unattended screens.
• Manage devices and media: receipt, movement, reuse, and secure disposal.
• Enforce unique IDs, strong authentication, and multi-factor authentication for remote and privileged access.
• Enable audit logging, centralized collection, and regular review for anomalous activity.
• Use encryption in transit and at rest where feasible; segment networks and restrict admin tools.
• Harden systems: timely patching, EDR/anti-malware, configuration baselines, and secure backups.

Denying Patient Access to Health Records

Patients have the right to access their health records, typically within 30 days, with one 30‑day extension allowed when justified in writing. Common violations include slow responses, excessive fees, unnecessary hurdles, refusing electronic formats, or denying a patient’s request to direct records to a third party.

Checklist: Provide timely patient access

• Offer simple request options (online, mail, in person) with clear instructions.
• Verify identity without creating undue burden; accept reasonable documentation.
• Fulfill requests within 30 days; if delayed, send a written explanation and new date within the additional 30 days.
• Provide the format requested if readily producible (portal, email with risk acknowledgment, or media).
• Charge only a reasonable, cost-based fee permitted under HIPAA; avoid per-page fees for ePHI.
• Honor a valid directive to send PHI to a third party; document the patient’s request.
• Track turnaround metrics and audit a sample of completed requests each quarter.

Failure to Enter into Business Associate Agreements

Any vendor that creates, receives, maintains, or transmits PHI for you is a business associate. Without a signed Business Associate Agreement, you risk uncontrolled disclosures, unclear breach reporting, and noncompliance with Business Associate Agreements Compliance requirements.

Checklist: Business Associate Agreements Compliance

• Identify all vendors touching PHI; classify them as business associates or conduits.
• Execute a BAA before sharing PHI; include subcontractor flow-down obligations.
• Define permissible uses/disclosures, safeguards, breach reporting timelines, and mitigation duties.
• Require return or destruction of PHI at termination where feasible.
• Reserve audit/assessment rights and require notice of material security changes.
• Review BAAs at least annually and after regulatory or service changes.
• Maintain a vendor inventory, due diligence records, and certificates of insurance where applicable.

Improper Disposal of PHI

Throwing paper charts in regular trash, donating devices without sanitization, or discarding copier hard drives can all expose PHI. Effective PHI Disposal Procedures cover paper and electronic media through the end of the lifecycle.

Checklist: PHI Disposal Procedures

• Adopt a written retention and destruction schedule aligned to legal and business needs.
• Use secure containers for paper awaiting destruction; cross-cut shred, pulp, or incinerate.
• Sanitize ePHI media before reuse or disposal using approved methods (secure overwrite, cryptographic erase, degauss for magnetic media, or physical destruction).
• Control chain of custody; supervise destruction or obtain certificates from vetted vendors under BAAs.
• Wipe or destroy device components that may store PHI (drives in copiers, scanners, and biomedical equipment).
• Log all destruction events with date, method, media type, and authorizer.
• Train staff on disposal steps and spot-check compliance.

Lack of Encryption for Portable Devices

Lost or stolen laptops, smartphones, and USB drives cause outsized harm. While encryption is an addressable implementation specification, strong Encryption Standards for ePHI are one of the most effective safeguards you can deploy.

Checklist: Encryption Standards for ePHI

• Enable full-disk encryption on laptops and workstations (for example, AES‑256) with pre-boot authentication.
• Use mobile device management to enforce device encryption, screen locks, remote wipe, and OS updates.
• Encrypt data in transit (TLS for apps, VPN for remote access) and apply email encryption for PHI.
• Control removable media; allow only encrypted drives with key escrow and tracking.
• Protect keys with secure generation, storage, rotation, and recovery procedures.
• Combine encryption with MFA, endpoint protection, and rapid disablement for lost devices.

Incident-ready posture

Properly implemented encryption can prevent a lost device from becoming a reportable breach, but only when keys, configurations, and access controls are sound. Treat encryption as part of a layered defense and verify it regularly through audits and simulated loss scenarios.

FAQs

What are the most frequent HIPAA violations?

The most frequent violations include unauthorized disclosure of PHI, failure to perform an enterprise-wide risk analysis, insufficient administrative/technical safeguards, denying or delaying patient access, missing or weak Business Associate Agreements, improper disposal of PHI, and unencrypted portable devices that are lost or stolen.

How can organizations prevent unauthorized PHI disclosure?

Apply the minimum necessary standard, restrict access by role, verify recipients, and use secure transmission methods. Layer in DLP, audit logging, and routine access reviews. Train staff on acceptable disclosures and social media risks, require BAAs for vendors, and enforce sanctions for snooping or policy violations.

What is the deadline for HIPAA breach notifications?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For incidents involving 500 or more residents of a state/jurisdiction, also notify prominent media and report to HHS within 60 days. For fewer than 500 individuals, report to HHS no later than 60 days after the end of the calendar year. Business associates must notify the covered entity promptly, typically no later than 60 days, per contract.

How should PHI be properly disposed of?

Shred, pulp, or incinerate paper records; never place them in regular trash. For ePHI, sanitize media using secure overwrite or cryptographic erase, degauss magnetic media when appropriate, or physically destroy drives—especially SSDs. Maintain chain of custody, use vetted destruction vendors under BAAs, and log each disposal with method, date, and authorization.