The Health Insurance Portability and Accountability Act of 1996 (HIPAA), protects the privacy of patients in addition to making health care portable and providing a non-discrimination protection, according to the U.S. Department of Labor. HIPAA violations are investigated by the Office of Civil Rights (OCR), which is run by the U.S. Department of Health and Human Services.
Privacy Notice Violations
Under HIPAA, a covered entity must inform plan participants or patients within 60 days when making a change regarding privacy practices. An employer or covered entity may forget to send out notices regarding revisions to privacy practices, which is a violation of HIPAA. Similarly, a company may forget to send out a reminder regarding HIPAA and how to obtain a copy of privacy practices, which must be sent every three years.
State Law vs. HIPAA violations
HIPAA laws will generally preempt state laws, because HIPAA is federal and often more strict than state laws. However, there are some exceptions, where a state law should be followed instead of HIPAA. For example, when a state law is necessary to prevent fraud, or to assist in reporting health care delivery, then the OCR Privacy Rule Summary states to follow state law.
Oral Privacy Violations
Under HIPAA, covered entities such as doctors must respect a patient's medical privacy by not orally disclosing identifiable information. For example, a physician can not discuss a patient by name to another physician when they are not in private and others may hear the information.