HIPAA laws

Since the start of the coronavirus pandemic in March of 2020, HIPAA has been a popular topic that keeps coming up in mainstream media outlets, professional sports, political talks, and throughout the healthcare industry. Although HIPAA has been established since 1996, many confuse what it actually protects and how it can be violated.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a United States federal law passed by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. The purpose of HIPAA was to create a set of national standards for protecting private patient health data and making it illegal to share that information without patient consent. It was also put in place to improve the portability and accountability of health insurance plans for workers and substantially reduce fraud and abuse in health plans.

HIPAA specifically requires organizations that deal with protected health information (PHI) to establish safeguards protecting data from external threats, provide applicable training to employees regarding the confidentiality of electronically protected health information (ePHI) and PHI, and never disclose payments or a description of healthcare you have previously or are currently receiving. For a more in-depth look into the history, laws, and regulations surrounding HIPAA and HIPAA compliant email check out our conclusive HIPAA compliant guide: Everything You Need to Know About HIPAA Compliant Email In 2022.

HIPAA laws and regulations are constantly changing so it can be difficult to stay up-to-date with the latest ways common HIPAA violations of HIPAA laws occur. Routinely keeping yourself and your staff aware of current HIPAA compliance laws will help to mitigate potential risks or fines. Learning how HIPAA can be violated should be a top priority within any healthcare organization. In this article, you will learn the most common ways HIPAA can be breached and how to avoid them.

1. Data Breaches.

Understand that no matter what safeguards you have in place HIPAA violations can still occur. Data breaches are currently skyrocketing due to the increase in remote work and while many are unavoidable, most happen because of human error. Surprisingly enough, about 9 out of 10 data breaches occur because of user error. A study from Stanford University revealed that 88 percent of all data breaches are caused by someone from within an organization and not an outside threat. Even more surprising, younger employees are more likely to act on “phishing” attempts than older employees.

2. Not Properly Storing Sensitive Patient Data.

Keeping unsecured patient records is another common way HIPAA violations can occur. Always make sure your staff is properly storing online records in a secured database to ensure the protection of patient information and electronically protected health information (ePHI). Any paper files containing protected health information should be kept in a locked cabinet or desk and only authorized personnel should be given access.

3. Sending, Receiving, & Storing Unencrypted Data.

Although HIPAA laws don’t explicitly state that healthcare organizations must use encrypted messaging services to transmit ePHI, it is highly suggested that you do so. While HIPAA may not require this, state laws vary around this topic, and many have passed laws requiring ePHI to be encrypted and electronically protected both in transit and in storage. Encryption also provides an added layer of security for devices containing such information and makes them harder to hack.

4. Improper Disposing of Documents.

While it may come as a surprise many healthcare organizations still use paper filing systems to manage and store patient files or PHI. Although this may be a preferred strategy for keeping files stored and organized, the truth is human error is way more likely to occur. If you do use a paper filing system to store and access PHI, make sure to establish proper policies and procedures regarding how this information is being handled, one wrong move could cost you!

5. Losing Devices.

Using an electronic filing system is highly recommended to ensure any ePHI or PHI is protected with the proper safeguards. Although using electronic devices to store patient data is by far the safest method to use for avoiding human error and keeping sensitive data safe the downside is that the devices holding this information, i.e., smartphones, tablets, laptops, and desktop computers can be lost or stolen. To avoid losing or misplacing a device containing ePHI try storing them in a locked cabinet or safe when not around or leaving the building. Also, never take a device home with you containing patient files, and always make sure all devices are password protected and have two-step verification. The violation of a lost or stolen device containing ePHI could cost you thousands of dollars.


Now that you know some common ways HIPAA violations can occur you can reevaluate your current protocols and safeguards regarding data protection and either make changes accordingly or rest easy knowing your organization is in line with the policies and regulations surrounding HIPAA. Implementing efficient compliance strategies for your healthcare organization and for your employees will also help to mitigate risks and potential data breaches, but keep in mind violations can still occur even with the best security practices and safeguards.