The Most Common HIPAA Violations Healthcare Attorneys Should Know—and How to Spot Them

When you assess HIPAA exposure, the fastest wins often come from recognizing patterns. The most common violations follow repeatable scripts—gaps in Access Controls, weak Data Encryption, poorly executed Risk Assessment, and missed Breach Notification Requirements. This guide highlights where Protected Health Information (PHI) typically goes wrong and gives you practical ways to spot issues early in investigations, diligence, or incident response.

Use these checklists and red flags to structure interviews, document requests, and corrective action plans. Throughout, you’ll see how Business Associate Agreements, Compliance Training, and technical safeguards intersect to either prevent or precipitate violations.

Unauthorized Access to PHI

What it looks like

Unauthorized access occurs when workforce members or outsiders view, use, or obtain PHI without a valid job-related purpose. Typical scenarios include “snooping” on acquaintances or VIPs, credential sharing, access after employment termination, and use of generic or shared accounts that defeat accountability.

Red flags to spot

• Audit logs show access to records outside an employee’s patient panel or job role.
• High-volume lookups, after-hours spikes, or repeated “break-the-glass” events without documented justification.
• Shared or default credentials; service accounts used interactively; disabled logging.
• Access by former staff or contractors after their departure date.

Attorney checklist—what to verify and request

• Role-based Access Controls documentation, privilege matrices, and “minimum necessary” policy.
• System audit trails, retention settings, and evidence of periodic access reviews.
• Sanction policy and recent enforcement actions tied to unauthorized access.
• Offboarding procedures, including timeline for disabling accounts and reclaiming devices.

Preventive controls to recommend

• Unique user IDs, MFA, and session timeouts; eliminate shared logins.
• Proactive log monitoring with anomaly detection and VIP access alerts.
• Targeted Compliance Training emphasizing “minimum necessary” and real case examples.
• Data Encryption on endpoints to limit impact if credentials are misused and data is exfiltrated.

Improper Disposal of PHI

What it looks like

Improper disposal includes tossing paper charts into regular trash, leaving labels or wristbands in open bins, or discarding devices containing ePHI without validated wiping or destruction. Risk increases when disposal vendors operate without clear controls or Business Associate Agreements.

Red flags to spot

• Unlocked or overflowing shred bins; single-stream trash in clinical areas.
• Certificates of destruction missing, incomplete, or not matched to inventory.
• Retired laptops, copiers, or servers resold or donated without cryptographic erasure.
• Disposal performed by vendors lacking documented safeguards or chain-of-custody.

Attorney checklist—what to verify and request

• Written disposal policy covering paper, media, and device sanitization.
• Asset inventory with serial numbers tied to destruction or wipe records.
• Vendor contracts and Business Associate Agreements; chain-of-custody logs.
• Spot-check results from internal inspections and surprise audits.

Preventive controls to recommend

• Locked, routinely serviced bins and centralized records for pickups.
• Encryption by default on all portable media; cryptographic wipe before physical destruction.
• Decommission checklists that require dual sign-off and documentation.
• Annual Compliance Training that includes photo-based examples of improper disposal.

Lack of Risk Analysis

What it looks like

A one-time or IT-only exercise labeled “risk assessment” that fails to identify where ePHI lives, who touches it, and which threats matter most. True enterprise-wide Risk Assessment should be ongoing, reflect changes (new systems, mergers, telehealth), and drive a prioritized risk management plan.

Red flags to spot

• No current ePHI data-flow map; missing inventory of systems, apps, and third parties.
• Findings without owners, deadlines, or funding; risks marked “accepted” without rationale.
• Assessments confined to a subset of clinics or to network diagrams only.
• Ignored “people risks”: social engineering, insider threats, or inadequate training.

Attorney checklist—what to verify and request

• Methodology, scope, and frequency of the Risk Assessment; evidence of executive review.
• Risk register with heat ratings, remediation plans, and status tracking.
• Inclusion of vendors and cloud services; mapping to Business Associate Agreements.
• Inputs such as vulnerability scans, pen tests, incident trends, and audit results.

Preventive controls to recommend

• Calendarized assessments tied to budgeting cycles and project roadmaps.
• Asset and data-flow inventories that are updated with each system change.
• Cross-functional participation (privacy, security, clinical ops, legal, compliance).
• Clear risk acceptance criteria and documentation standards.

Insufficient Security Measures

Technical safeguards to evaluate

• Access Controls (least privilege, MFA, privileged access management) and robust logging.
• Data Encryption for ePHI at rest and in transit; key management practices.
• Patch and vulnerability management; endpoint protection; email security and DLP.
• Network segmentation, secure remote access, backups with tested restores.
• Cloud configuration baselines and monitoring to prevent public exposure.

Administrative and physical safeguards

• Policies covering acceptable use, mobile devices, and incident response.
• Role-specific Compliance Training with phishing simulations and sanctions.
• Facility access controls, visitor management, and device locking procedures.

Red flags to spot

• Shared admin accounts, default passwords, or unmonitored privileged access.
• Unencrypted laptops or USB drives; BYOD without mobile device management.
• Misconfigured cloud storage or remote desktop opened to the internet.
• Backups not isolated from production or never tested.

Attorney checklist—what to verify and request

• Security architecture diagrams, control standards, and exception logs.
• Evidence of testing: restore drills, tabletop exercises, and pen test remediation.
• Metrics: patch cadence, MFA coverage, encryption coverage, and phishing rates.
• Incident response plan with roles for legal, privacy, and communications.

Delayed Breach Notification

What it looks like

After a data incident, covered entities and business associates must evaluate whether unsecured PHI was compromised and, if so, follow Breach Notification Requirements. Notifications must be sent without unreasonable delay and no later than a defined federal deadline; some states impose shorter timelines or additional content.

Red flags to spot

• Unclear “discovery” date; the clock starts later than it should.
• Waiting on a vendor’s report with no interim facts captured or documented.
• Draft notices missing required elements or omitting substitute notice steps.
• No evidence of the four-factor risk assessment driving the decision to notify.

Attorney checklist—what to verify and request

• Incident timeline from detection through notification; decision logs and approvals.
• Four-factor risk assessment, affected populations, and data elements involved.
• Notification packets to individuals; regulator and media notifications when applicable.
• Vendor coordination records under Business Associate Agreements, including indemnity considerations.

Preventive controls to recommend

• Playbooks with pre-approved templates and contact lists.
• Escalation SLAs that bring legal, privacy, IT, and leadership together quickly.
• Drills that measure time-to-discovery and time-to-notice across stakeholders.

Unauthorized Disclosure of PHI

What it looks like

Disclosures occur when PHI is shared with the wrong recipient or beyond the “minimum necessary.” Common sources include misaddressed emails or faxes, unsecured texting, social media posts, and hallway conversations. Overbroad responses to subpoenas or record requests also create exposure.

Red flags to spot

• Email or fax logs showing frequent misdirected transmissions or unencrypted attachments.
• Templates that include more PHI than needed, or no identity verification steps.
• Public or semi-public displays of patient information (whiteboards, kiosks) without safeguards.

Attorney checklist—what to verify and request

• Policies on disclosures, identity verification, and “minimum necessary.”
• Secure messaging solutions, encryption defaults, and DLP rules.
• Record-request workflows, subpoena procedures, and redaction checks.
• Targeted Compliance Training for front-desk, billing, and release-of-information staff.

Preventive controls to recommend

• Double-check prompts for external addresses; secure portals for record sharing.
• Caller authentication scripts and “need-to-know” checklists.
• Pre-approved, role-based templates that embed the minimum necessary standard.

Failure to Enter into Business Associate Agreements

What it looks like

Sharing PHI with a vendor that creates, receives, maintains, or transmits PHI—without a Business Associate Agreement—is a common violation. Risks rise when marketing, research, telehealth, billing, IT support, shredding, or cloud providers handle PHI or ePHI without contractual safeguards or when subcontractors go unvetted.

Red flags to spot

• Procurement bypasses legal review; PHI flows under only a standard MSA or click-through terms.
• Vendor inventory missing or outdated; subcontractors not disclosed.
• BAAs lacking breach terms, security requirements, or downstream obligations.
• PHI shared in pilots or trials before a BAA is executed.

Attorney checklist—what to verify and request

• Comprehensive vendor list that flags PHI exposure and subcontractors.
• Standard BAA with permitted uses, safeguards, Breach Notification Requirements, and audit rights.
• Due diligence artifacts: security questionnaires, certifications, and incident histories.
• Onboarding/offboarding workflows that gate PHI access on BAA execution.

Key takeaways

Most HIPAA failures trace to predictable breakpoints: incomplete Risk Assessment, weak Access Controls and Data Encryption, vendor gaps, and slow breach response. As counsel, you can surface issues quickly with targeted document requests, log reviews, and interviews focused on the “minimum necessary” standard, Business Associate Agreements, and notification playbooks.

FAQs

What are the penalties for HIPAA violations?

Penalties range from corrective action plans and mandated monitoring to civil monetary penalties that scale with the level of culpability (from lack of knowledge to willful neglect). In egregious cases, criminal charges may apply for wrongful disclosures or misuse of PHI. Regulators may also require restitution-like remedies, while state attorneys general can pursue additional actions. Beyond fines, organizations face contractual liability, litigation exposure under state laws, and significant reputational harm.

How can unauthorized access to PHI be prevented?

Build layered defenses: enforce unique IDs and MFA; implement role-based Access Controls with periodic reviews; monitor audit logs for anomalies; encrypt data on endpoints; and run targeted Compliance Training that stresses “minimum necessary” and real-world scenarios. Pair these with a clear sanction policy and swift offboarding procedures.

What steps must be followed after a data breach is detected?

First, contain and eradicate the threat while preserving evidence. Conduct a documented four-factor Risk Assessment to determine if there is a reportable breach of unsecured PHI. If notification is required, follow Breach Notification Requirements: notify affected individuals without unreasonable delay (and within the federal deadline), notify regulators, and, when size thresholds are met, notify the media. Coordinate with business associates, maintain a detailed timeline, and keep all decisions and communications on file.

How important are Business Associate Agreements in HIPAA compliance?

They are essential. BAAs define permitted uses of PHI, required safeguards, Breach Notification Requirements, and subcontractor obligations, creating enforceable accountability across your vendor ecosystem. Without them, both parties face heightened regulatory risk, unclear responsibilities during incidents, and limited recourse for inadequate security practices.