Which Actions Are Most Clearly HIPAA Violations? A Practical Compliance Guide

Knowing exactly which actions cross the HIPAA line helps you prevent costly incidents before they happen. This guide highlights the clearest violations and pairs them with practical steps you can put in place today. Throughout, you’ll see how the HIPAA Privacy, Security, and Breach Notification Rule work together to protect Protected Health Information (PHI).

Use these sections to benchmark your safeguards, prioritize fixes from your latest Risk Assessment, and prepare for internal Compliance Audits that demonstrate your program is working.

Unauthorized Access to PHI

Why this is a clear violation

HIPAA requires you to limit PHI access to the minimum necessary for a person’s role. Viewing, retrieving, or using PHI without a job-related need—often called “snooping”—violates the Privacy Rule and, for electronic PHI, the Security Rule’s Access Controls requirement.

Common examples

• Opening a friend’s, celebrity’s, or family member’s chart “out of curiosity.”
• Using a coworker’s login or sharing passwords to look up records.
• Failing to terminate ex-employee accounts, allowing continued system access.
• Vendors accessing PHI outside the scope of a Business Associate Agreement (BAA).

How to prevent it

• Implement strong Access Controls: unique user IDs, role-based permissions, and multi-factor authentication.
• Enable automatic logoff and audit logs; review for unusual access and sanction violations consistently.
• Train staff on the minimum necessary standard and “break-glass” procedures with documented justification and monitoring.
• Ensure every PHI-touching vendor has a signed BAA and least-privilege access.

Improper Disposal of PHI

Why this is a clear violation

Throwing PHI in regular trash or discarding devices without properly removing data exposes sensitive information. HIPAA requires secure disposal so PHI cannot be reconstructed.

Proper disposal practices

• Paper PHI: cross-cut shredding, pulping, or incineration; use locked shred bins until destruction.
• Electronic media: cryptographic erase for encrypted media, degaussing, or physical destruction (e.g., shredding drives).
• Maintain chain-of-custody logs and obtain certificates of destruction from vetted vendors under a BAA.

Operational tips

• Inventory PHI locations (files, backup tapes, USBs) and set disposal schedules.
• Secure staging areas; never leave PHI in open bins or unlocked rooms.
• Validate vendor processes during Compliance Audits to confirm methods match policy.

Discussing PHI in Public Areas

Why this is a clear violation

Conversations that reveal patient identifiers where bystanders can overhear violate the Privacy Rule when they exceed incidental disclosure. Public areas include elevators, cafeterias, lobbies, waiting rooms, rideshares, and social media.

How to prevent it

• Move sensitive conversations to private rooms; lower your voice and use the minimum necessary details.
• Verify identity before phone disclosures; avoid leaving detailed PHI on voicemail.
• Use de-identified references in semi-public care settings (e.g., bed numbers instead of names).
• Post reminders in high-traffic areas and provide scripts for staff to redirect conversations.

Loss or Theft of Devices Containing PHI

Why this is a clear violation

Laptops, smartphones, tablets, and removable media that store or can access electronic PHI (ePHI) are prime targets. If a lost or stolen device provides unauthorized access to unencrypted PHI, you risk a breach with mandatory notifications.

Preventive controls

• Data Encryption at rest and in transit, enforced by mobile device management with remote lock and wipe.
• Strong screen locks, short timeouts, and policies restricting local downloads of PHI.
• Endpoint protection, device inventories, and cable locks for portable hardware.
• BYOD safeguards: containerization, policy-based access, and immediate removal when a device is lost or an employee departs.

If an incident occurs

• Conduct a documented Risk Assessment to determine the probability of compromise.
• If PHI is not secured (e.g., not properly encrypted), follow the Breach Notification Rule timelines.

Failure to Perform Risk Analyses

Why this is a clear violation

The Security Rule requires an accurate and thorough enterprise Risk Analysis of ePHI risks and vulnerabilities. Treating this as a one-time project—or skipping it—undercuts every other safeguard.

How to do it well

• Inventory systems, data flows, and vendors that create, receive, maintain, or transmit ePHI.
• Evaluate threats and vulnerabilities, score likelihood and impact, and document risk decisions.
• Remediate through a prioritized risk management plan with owners and deadlines.
• Update at least annually and whenever major changes occur (new EHR, cloud migrations, mergers).

Make it audit-ready

• Keep methodologies, findings, and action plans organized for Compliance Audits.
• Verify that Business Associate Agreements reflect actual services and security responsibilities.

Failure to Implement Security Measures

Why this is a clear violation

HIPAA’s safeguards are flexible but not optional. Failing to implement reasonable administrative, physical, and technical controls exposes PHI and violates the Security Rule.

Core security measures to implement

• Administrative: policies, workforce training, sanction procedures, vendor oversight, incident response, and contingency planning.
• Technical: Access Controls (unique IDs, MFA, automatic logoff), audit controls, integrity checks, Data Encryption, and transmission security.
• Physical: facility access controls, workstation security, device/media controls, and secure storage.
• Lifecycle practices: patching, vulnerability management, change control, and continuous monitoring.

Vendor alignment

• Require BAAs that mandate comparable safeguards and breach reporting duties.
• Assess vendors regularly and document corrective actions when gaps are found.

Failure to Provide Breach Notifications

What triggers notification

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. Limited exceptions exist (e.g., certain good-faith workforce errors or inadvertent internal disclosures), but most incidents require a documented risk assessment to determine if there is a low probability of compromise.

Timelines and recipients

• Individuals: notify without unreasonable delay and no later than 60 days after discovery.
• HHS: for 500+ affected individuals, report within 60 days of discovery; for fewer than 500, submit within 60 days after the end of the calendar year.
• Media: if 500+ individuals in a single state or jurisdiction are affected, notify prominent media.
• Business associates must notify the covered entity without unreasonable delay, enabling timely notices.

What notices must include

• What happened and discovery date, the types of PHI involved, steps individuals should take, your mitigation actions, and contact information.
• Document decision-making thoroughly; your records are critical during Compliance Audits.

Conclusion

Clear HIPAA violations often stem from preventable lapses: unauthorized access, casual conversations, poor disposal, missing encryption, skipped Risk Analyses, weak controls, and delayed breach notices. By enforcing Access Controls, enabling Data Encryption, managing vendors with solid BAAs, and testing your program through Compliance Audits, you lower risk and respond decisively when issues arise.

FAQs

What constitutes an unauthorized access to PHI?

Any viewing, use, or disclosure of PHI without a legitimate job-related need is unauthorized. Examples include snooping in a patient’s record out of curiosity, using someone else’s credentials, accessing charts outside your role, or a vendor looking at PHI not permitted under its Business Associate Agreement. HIPAA’s minimum necessary standard applies to every access event.

How should PHI be properly disposed of?

Paper PHI must be rendered unreadable through cross-cut shredding, pulping, or incineration, stored in locked bins until destruction, and handled with chain-of-custody. Electronic PHI requires secure wiping (cryptographic erase), degaussing, or physical destruction of media. Use vetted destruction vendors with a signed BAA and keep certificates of destruction for records.

When must breach notifications be provided?

Notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI. For incidents affecting 500 or more individuals, notify HHS within 60 days and local media if 500 or more are in one state or region. For fewer than 500, report to HHS within 60 days after the end of the calendar year. Business associates must alert the covered entity promptly so timelines are met.

What security measures are mandated by HIPAA?

HIPAA requires reasonable administrative, physical, and technical safeguards, including Access Controls (unique IDs, MFA, automatic logoff), audit and integrity controls, Data Encryption, transmission security, security awareness training, incident response, contingency planning, and ongoing Risk Analysis with risk management. The program must scale to your environment yet remain effective at protecting PHI.