Common HIPAA Violations

Common HIPAA Violations

When it comes to HIPAA regulations, it can be overwhelming. Non-compliance can lead to hefty fines and/or jail time. At MedPro Disposal we took the time to list some of the most common HIPAA violations for you.

Intruding on Healthcare Records

Accessing any health records for reasons other than treatment, payment, or healthcare operations is prohibited. Gathering information, for personal use, on records of family, friends, co-workers or other people is one of the top HIPAA violations.

Failure to Perform Risk Analysis & Security

You should be frequently conducting company-wide risk analyses to see how safe your company is from being hacked. This is a common HIPAA violation because many practices simply don’t take the time to do them. These risks only make it easier for hackers to find sensitive data.

Denying Patients Access to Their Medical Records

Patients are allowed to access their medical records and can have a copy when requested. It’s common for staff to deny their patients access to their medical records. It’s considered a HIPAA violation when there’s clear denial and the records aren’t provided within 30 days of the request.

Failure or Refusing to Enter The HIPAA-Compliant Business Associate Agreement

If you are given access to Personal Health Information (PHI) you are required to complete the HIPAA Business Associate Agreement (BAA). If one person fails to agree or refuses to, the violations can penalize all who are involved and not just that person.

Insufficient Electronic Protected Health Information (ePHI) Access Controls

Business entities and their associates must limit access to any ePHI to only those individuals who are authorized. If you don’t limit control and access, it can lead to security breaches and heavy fines.

Failure to Encrypt Sensitive Data

Encryption is the most effective way to protect sensitive data from data breaches. Even if data was stolen it would do the criminal no good. Encrypted data can only be decrypted if you have the “key”.

Impermissible Disclosures of PHI

Sharing information to a patient’s employer, mishandling or unnecessarily sharing PHI, disclosing PHI after theft or loss of unencrypted technology, failing to adhere to the “minimum necessary” standard, or disclosing a patient’s PHI after their consent expires qualify as a penalty.

Incorrect Disposal of PHI

After a certain period of time, HIPAA requires all healthcare facilities to safely and securely destroy patient records. The two most common methods are shredding physical documents and wiping/destroying hard drives.

HIPAA Violation Penalties

There are 2 categories that a HIPAA violation will fall under: civil or criminal. Penalties are categorized based on severity. Any HIPAA violation is severe, but it could range from a low fee to 10 years in jail.


If you unknowingly incur a HIPAA violation, you’ll receive a $100 fine per violation with a maximum of up to $1.5 million annually. Another HIPAA violation is willful neglect. You are aware of the violation but you either choose to incur it anyway or refuse to correct it. Financial penalties can vary, ranging from $1,000 per penalty up to an annual maximum of $1.5 million.


Stealing PHI or committing offenses under false pretenses is a financial penalty. Fines range from $50,000 to $250,000 and you can incur jail time from 1 to 10 years depending on the charges.

HIPAA violations are serious! Not only can you land yourself and your practice in legal trouble, but you could also lose trust in your patients. Keep your patients’ best interests in mind, at MedPro Disposal we care about your company and waste!

Scroll to Top