Common Violations of HIPAA

••• stethoscope image by dinostock from

Related Articles

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), protects the privacy of patients in addition to making health care portable and providing a non-discrimination protection, according to the U.S. Department of Labor. HIPAA violations are investigated by the Office of Civil Rights (OCR), which is run by the U.S. Department of Health and Human Services.

Administrative Violations

Administrative HIPAA violations are fairly common. A covered entity, such as a doctor, hospital or health insurance company, must follow specific regulations to protect a patient's medical privacy. The covered entity must have a privacy policy and procedure, as well as a specific person who handles privacy issues. Covered entities must train the workers to protect privacy and also install software to protect electronic data. The Department of Health and Human Services audits covered entities to determine if any administrative violations have occurred.

Privacy Notice Violations

Under HIPAA, a covered entity must inform plan participants or patients within 60 days when making a change regarding privacy practices. An employer or covered entity may forget to send out notices regarding revisions to privacy practices, which is a violation of HIPAA. Similarly, a company may forget to send out a reminder regarding HIPAA and how to obtain a copy of privacy practices, which must be sent every three years.

State Law vs. HIPAA violations

HIPAA laws will generally preempt state laws, because HIPAA is federal and often more strict than state laws. However, there are some exceptions, where a state law should be followed instead of HIPAA. For example, when a state law is necessary to prevent fraud, or to assist in reporting health care delivery, then the OCR Privacy Rule Summary states to follow state law.

Oral Privacy Violations

Under HIPAA, covered entities such as doctors must respect a patient's medical privacy by not orally disclosing identifiable information. For example, a physician can not discuss a patient by name to another physician when they are not in private and others may hear the information.


About the Author

Sarah Thomas has been a freelance writer for more than five years. She has ghostwritten e-books and articles on weddings and other topics. Her work has also been published on various websites. Thomas graduated from Daemen College with a degree in psychology.

Photo Credits