Subscribe by Email

Your email:


Best Practices in Release of Information Webinar


Browse by Tag

Follow Me


Current Articles | RSS Feed RSS Feed

The Top 10 Most Common HIPAA Violations


most common HIPAA violations 10Is your facility currently in compliance with the Health Insurance Portability and Accountability Act? If not, it could cost you - big time. Even if you or an employee unknowingly violate HIPAA regulations, you could be slapped with a fine, and with annual maximum penalties capped at $1.5 million, that's a risk that you simply cannot afford to take. By examining 10 of the most common HIPAA violations, you can learn from the blunders of others, become more aware of the challenges that you may face, and take measures to prevent them from happening.

10. Incomplete HIPAA authorization forms

Before releasing any information to outside parties, it is imperative that you double and triple check to ensure that authorizations are completed from top to bottom. The form should clearly list the patient's name, the party or parties to whom information may be released, which specific aspects of their medical records can be released, and the date through which the authorization is valid.

9. Exclusion of a "right to revoke" clause

Your patients have the right to revoke their HIPAA authorizations, and this right should clearly be stated on the HIPAA form, lest the authorization become invalid.

8. Failure to establish contracts with business associates

The Final Omnibus rule has extended the umbrella under which an entity's "business associates" may fall. Should your business employ any outside party to handle, process, or transmit PHI, you must immediately establish a new contract with the agency. In this contract, your business associates must agree to comply with HIPAA regulations.

7. Release of information after the authorization period has expired

Insist that your staff take the time to verify the expiration dates on HIPAA authorizations each time that a release of information request comes through. Although everything else may appear to be in order, if the request for information comes in after the expiration date, a new authorization form will need to be completed.

6. Errors in paper file storage and disposal

Some of the most common HIPAA violations occur as a result of human error. It's all too easy for an administrator to incorrectly file a patient's records, or mistakenly discard a private document without shredding it. Breeches like these can be avoided by switching to an electronic filing database. 

5. Failure to release patient information in a timely manner 

Another addition of the Final Omnibus Rule is the requirement of medical facilities to release electronic copies of medical records to patients upon request. Should your facility be unable to respond to the request in a timely manner, you could be fined. If your facility is not currently equipped to process electronic files, consider hiring a medical document scanning service. 

4. Computer Hacking

In 2012, the Utah Department of Health confirmed that a server with the PHI of more than 780k patients had been hacked into, leaking addresses, birth dates, Social Security numbers, diagnoses codes, etc. Encryption, firewalls, and other security measures are imperative to protecting information.

3. The loss of backup disks or portable drives

Last year, an Atlanta-based hospital system misplaced 10 backup disks storing the PHI of over 315k patients. Accountability logs and thorough records should be kept when dealing with backup disks, and any thumb-nail drives should be password protected and encrypted.  

2. Employees inappropriately accessing, using, or transmitting PHI

Surprisingly, some of the most common HIPAA violations involve healthcare employees accessing files inappropriately, either out of curiosity, or maliciously. Using clearance levels and user ID codes for accessing PHI will discourage this behavior.

1. Storing patient information on laptops
The largest volume of HIPAA violations in 2012 occurred as a result of storing PHI on unsecured laptops. If PHI must be accessed remotely, it is best to consider utilizing a cloud storage database, for security.

Don't let your facility become another statistic. By understanding the most common HIPAA violations, you can take measures to actively prevent them from occuring.

Photo credit: sam_churchill via Flickr

fig gungor

Fig Gungor is CEO of OneSource Document Management, a New York based company that offers a broad range of customized copy and scanning services that translate into a significant savings for insurance companies, hospitals and large medical facilities.


Isn't it a HIPAA violation to text patient information between healthcare workers?
Posted @ Monday, November 04, 2013 6:57 PM by Darlene Thomas
If the information being texted contains any PHI then it puts the patients privacy at risk. HITECH states that all PHI transmitted electronically need to be encrypted.
Posted @ Tuesday, November 19, 2013 8:34 AM by Fig Gungor
Post Comment
Website (optional)

Allowed tags: <a> link, <b> bold, <i> italics