20 Lesser-Known HIPAA Violations and How to Address Them

HIPAA compliance is essential for maintaining the integrity and confidentiality of patient information. While the basics of HIPAA compliance are well understood, it's crucial to be aware of numerous less-expected violations that can catch even the most diligent organizations off guard. Below are 20 lesser-known HIPAA violations that can put your organization at risk of unexpected breaches, underscoring the need for caution and vigilance. For each violation, we'll discuss how IT can validate if it's occurring, the technical methods, and the first steps to resolving it. This guide aligns with current HIPAA Security Rule requirements (45 CFR Part 164 Subpart C) and includes implementation specifications for required and addressable standards.

1. Insecure Text Messaging

Some healthcare providers use personal or unsecured messaging apps to communicate patient information quickly. While convenient, these apps lack the necessary encryption and security measures, making patient data vulnerable to unauthorized access.

How to Validate:

• Network Monitoring Tools: Intrusion detection systems (IDS) and data loss prevention (DLP) tools monitor outgoing network traffic for PHI transmitted via unsecured messaging apps.
• Mobile Device Management (MDM): Implement MDM solutions (e.g., Microsoft Intune or MobileIron) to inventory all mobile devices and detect unauthorized messaging applications.
• Application Usage Logs: Analyze logs from corporate devices to identify the use of non-compliant messaging apps.
• Message Retention Monitoring: Verify that message archiving and retention policies are correctly configured and enforced.

Technical Steps to Resolve:

• Deploy Secure Messaging Platforms: Implement HIPAA-compliant messaging solutions like TigerConnect or Spok Mobile, which offer end-to-end encryption and message retention capabilities.
• MDM Policy Enforcement: Configure MDM policies to block the installation or use of unauthorized messaging apps on company devices.
• Network Access Control (NAC): Use NAC solutions to prevent devices with unauthorized apps from accessing the network.
• Message Retention Implementation: Configure automatic message archiving for the required 6-year retention period as per HIPAA regulations.

Estimated Implementation Costs:

• Secure Messaging Solutions: Approximately $10–$15 per user/month.
• MDM Implementation: Around $4–$8 per device/month.
• NAC Solutions: About $20–$30 per endpoint/year.

2. Sharing PHI on Social Media

Social media is powerful, but posting patient information or images without consent can lead to significant HIPAA violations. Even seemingly harmless posts can inadvertently reveal sensitive information.

How to Validate:

• Social Media Monitoring Tools: Utilize tools to monitor social media channels for unauthorized PHI disclosures.
• Keyword Alerts: Set up alerts for patient names or sensitive terms that could indicate PHI exposure.

Technical Steps to Resolve:

• Implement Content Filtering: Use DLP software to prevent PHI from being uploaded or shared from company networks.
• Access Restrictions: Block social media sites on corporate networks or limit access to authorized personnel.
• Automated Warnings: Configure systems to display warnings when users attempt to access social media platforms from work devices.

Estimated Implementation Costs:

• DLP Solutions: $25–$50 per user/year, depending on organization size.
• Monitoring Tools: $99–$599 monthly, depending on the plan.
• Access Control Systems: Costs vary based on existing infrastructure.

3. Unattended Computers and Devices

Leaving computers or devices logged in and unattended can expose patient information to unauthorized access. In busy healthcare environments, it's crucial to implement auto-lock settings and ensure that devices are never left unattended while logged in.

How to Validate:

• Endpoint Management Tools: Use solutions like Microsoft Endpoint Manager or Jamf to enforce screen lock policies and monitor compliance.
• Physical Audits: Install security cameras or conduct random physical checks in sensitive areas.

Technical Steps to Resolve:

• Enforce Automatic Screen Locks: Set group policies to lock screens after a short period of inactivity (e.g., 5 minutes), complying with HIPAA's addressable specifications for workstation security.
• Use Proximity-Based Locking: Implement solutions that lock devices when the user moves away, using badges or Bluetooth signals.
• Biometric Authentication: Require fingerprint or facial recognition to unlock devices.

Estimated Implementation Costs:

• Endpoint Management Tools: $2–$6 per device/month.
• Proximity Locking Solutions: $50–$100 per user, one-time cost.
• Biometric Devices: $100–$250 per device.

‍4. Improper Disposal of PHI

Disposing of patient records or other Protected Health Information (PHI) without proper shredding or destruction methods can lead to unauthorized access. Proper disposal methods are essential to maintaining HIPAA compliance.

How to Validate:

• Audit Trails: Review disposal logs and chain-of-custody documentation for physical records.
• Storage Media Scanning: Use tools to scan discarded electronic media for residual data.

Technical Steps to Resolve:

• Implement Data Sanitization Tools: Use software like Blancco Drive Eraser to wipe hard drives and ensure shredders meet security standards.
• Contract Certified Disposal Services: Partner with companies specializing in HIPAA-compliant disposal of electronic and paper records.
• Barcode Tracking: Implement barcode systems to track physical records throughout their lifecycle.

Estimated Implementation Costs:

• Data Sanitization Software: $500–$1,000 per license.
• Certified Disposal Services: $50–$150 per service visit, depending on volume.
• Barcode Systems: $2,000–$5,000 for setup and training.

5. Non-HIPAA Compliant Fax Services

Using fax service providers that are not HIPAA compliant can put your organization at risk. Verify that any third-party service handling PHI meets all HIPAA requirements and has signed a Business Associate Agreement (BAA).

How to Validate:

• Vendor Assessment: Review the security measures and certifications of fax service providers.
• Data Flow Analysis: Map out how PHI is transmitted via fax services to identify potential vulnerabilities.

Technical Steps to Resolve:

• Switch to Secure Fax Solutions: Use HIPAA-compliant fax services like Documo, which offers secure, encrypted faxing solutions.
• Encrypt Fax Transmissions: Use services like Documo to ensure that fax data is encrypted both in transit and at rest.
• Secure Fax Machines: If physical fax machines are used, place them in secured areas and restrict access.

Estimated Implementation Costs:

• Documo Fax Services: starts at $14.99 - costs increased based on volume. Organizations with a high volume of fax traffic should negotiate custom pricing. 
• Encryption Implementation: Typically included with secure fax services like Documo.
• Physical Security Measures: Variable costs based on facility modifications.

6. Lack of Encryption

Sending PHI via email or electronic means without encryption exposes data to potential breaches. Encryption ensures that even if data is intercepted, it cannot be read without the decryption key, thereby protecting patient information.

How to Validate:

• Encryption Scanning Tools: Use software like Microsoft BitLocker Administration and Monitoring (MBAM) to verify device encryption status.
• Email Gateway Analysis: Check email servers and gateways to ensure encryption protocols like TLS 1.2 or higher are enforced.
• Encryption Algorithm Verification: Audit systems to ensure the use of NIST-approved encryption algorithms (AES-128, AES-256, or similar).

Technical Steps to Resolve:

• Implement Full Disk Encryption: Use FIPS 140-2 validated encryption tools for all endpoints and servers handling PHI.
• Enforce Encrypted Email: Configure email systems to require encryption for messages containing PHI using solutions like Proofpoint or ZixMail.
• Encrypt Backup Media: Ensure all backups are encrypted on-site and in the cloud.
• Transport Layer Security: Implement minimum TLS 1.2 for all network communications containing PHI.

Estimated Implementation Costs:

• Encryption Tools: $50–$100 per device, one-time cost.
• Encrypted Email Solutions: $4–$12 per user/month.
• Backup Encryption: This may be included with backup solutions or $500–$2,000 for encryption add-ons.

7. Misaddressed Emails or Faxes

Accidentally sending PHI to the wrong recipient is a common mistake that can lead to HIPAA violations. Double-check email addresses and fax numbers before sending any information to ensure it reaches the intended recipient.

How to Validate:

• Email DLP Solutions: Implement DLP tools that scan outgoing emails for PHI and verify recipient addresses.
• Fax Confirmation Reports: Review fax transmission reports for errors or unintended recipients.

Technical Steps to Resolve:

• Use Secure Email Portals: Implement systems that require recipients to log into a secure portal to access PHI.
• Auto-Complete Restrictions: Disable auto-complete features in email clients for addresses outside the organization.
• Two-Step Verification: A secondary confirmation is required before sending emails or faxes containing PHI.

Estimated Implementation Costs:

• DLP Solutions: $5,000–$20,000 annually.
• Secure Email Portals: $3–$10 per user/month.
• Configuration Changes: Minimal direct costs.

8. Inadequate Training

Employees not adequately trained on HIPAA regulations and the importance of protecting PHI can become a liability. Regular and thorough training sessions are essential to ensure all staff members understand how to handle patient information securely.

How to Validate:

• Learning Management Systems (LMS): Use an LMS to track completion rates of HIPAA training modules.
• Phishing Simulations: Conduct simulated phishing attacks to assess employee awareness.

Technical Steps to Resolve:

• Mandatory E-Learning Courses: Deploy interactive HIPAA compliance courses with assessments.
• Regular Training Updates: Schedule periodic refresher sessions and update training materials with new regulations.
• Certification Tracking: Keep digital records of employee certifications and renewal dates.

Estimated Implementation Costs:

• LMS Platforms: $1,000–$5,000 annually.
• Training Content: $20–$50 per employee/course.
• Phishing Simulation Tools: $1–$5 per user/month.

9. Unauthorized Access by Employees

Employees accessing patient records without a valid reason or outside their scope of work constitutes a severe breach. Implement strict access controls and audit logs to monitor who accesses PHI and why.

How to Validate:

• Access Logs and SIEM Systems: Monitor and analyze access logs using Security Information and Event Management (SIEM) tools like Splunk or LogRhythm.
• User Behavior Analytics (UBA): Implement UBA solutions to detect anomalous access patterns.

Technical Steps to Resolve:

• Role-Based Access Control (RBAC): Configure systems to grant access based on job roles, minimizing unnecessary access.
• Multi-Factor Authentication (MFA): MFA is required to access PHI systems.
• Automated Alerts: Set up alerts for unusual access times or volumes of records accessed.

Estimated Implementation Costs:

• SIEM Solutions: $5,000–$50,000 annually, depending on data volume.
• UBA Tools: $10–$25 per user/month.
• MFA Solutions: $3–$6 per user/month.

10. Failure to Sign Business Associate Agreements (BAAs)

Not having signed BAAs with third parties handling PHI is a common oversight. These agreements ensure all parties know their responsibilities and comply with HIPAA regulations.

How to Validate:

• Vendor Management Software: Use platforms to track BAAs and vendor compliance status.
• Contract Management Systems: Implement systems to manage and remind about contract renewals and compliance documents.

Steps to Resolve:

• Centralize BAA Documentation: Store all BAAs in a secure, accessible repository.
• Automate Compliance Checks: Use software to notify when BAAs are missing or due for renewal.
• Vendor Risk Assessments: Regularly assess vendors for compliance and security posture.

Estimated Implementation Costs:

• Vendor Management Tools: $2,000–$10,000 annually.
• Contract Management Systems: $5,000–$20,000 annually.
• Compliance Staff Training: Variable costs based on training programs.

11. Insecure Cloud Storage

Storing PHI in cloud services that do not comply with HIPAA security standards can be a significant risk. Ensure that any cloud service storing PHI has the necessary security measures and has signed a BAA.

How to Validate:

• Cloud Access Security Broker (CASB): Use CASB solutions to monitor cloud service usage and compliance.
• Configuration Audits: Use tools to ensure cloud resources meet HIPAA security standards.
• Data Residency Verification: Implement tools to monitor and enforce geographical data storage requirements.

Technical Steps to Resolve:

• Migrate to Compliant Services: Use HIPAA-compliant cloud providers, ensuring signed BAAs are in place.
• Encrypt Data in Transit and At Rest: Implement NIST-approved encryption protocols for all cloud-stored PHI.
• Secure Access Controls: Use identity and access management (IAM) to restrict access to cloud resources.
• Geographical Controls: Configure data storage policies to ensure PHI remains within approved jurisdictions.

Estimated Implementation Costs:

• CASB Solutions: $20–$50 per user/year.
• Cloud Compliance Tools: These are often included with cloud services.
• Cloud Migration: Variable costs based on data volume and complexity.

12. Misplaced Portable Devices

Portable devices like laptops, tablets, and USB drives containing PHI are easily lost or stolen. To prevent unauthorized access, encrypt data on portable devices and implement policies for securely managing these items.

How to Validate:

• Asset Tracking Systems: Use RFID tags or GPS tracking for devices.
• MDM Remote Monitoring: Monitor device location and status via MDM solutions.

Technical Steps to Resolve:

• Enable Remote Wipe: Ensure all devices can be remotely wiped if lost or stolen.
• Enforce Strong Authentication: Require passwords, biometrics, or MFA to access devices.
• Regular Inventory Audits: Conduct physical audits to account for all devices.

Estimated Implementation Costs:

• Asset Tracking: $50–$150 per device.
• Remote Wipe Capabilities: Included with most MDM solutions.
• Inventory Management Systems: $1,000–$5,000 annually.

13. Use of Personal Devices

Allowing employees to use personal devices to access or store PHI without proper security measures can lead to breaches. Implement a robust Bring Your Own Device (BYOD) policy that ensures personal devices meet HIPAA security requirements.

How to Validate:

• Network Access Control (NAC): Use NAC solutions to detect and control personal devices on the network.
• MDM Enrolment Enforcement: All devices accessing PHI are required to enroll in MDM.

Technical Steps to Resolve:

• Implement BYOD Policies: Define security requirements for personal devices accessing PHI.
• Containerization: Use solutions to separate corporate data on personal devices.
• Conditional Access Policies: Configure systems to allow access only from compliant devices.

Estimated Implementation Costs:

• MDM for BYOD: $2–$5 per device/month.
• Containerization Solutions: $5–$10 per user/month.
• Policy Development: Internal resource allocation.

14. Unsecure Physical Records

Leaving paper records with PHI in public or unsecured areas can expose them to unauthorized access. Ensure that all physical records are stored in locked, secure areas and are only accessible to authorized personnel.

How to Validate:

• Security Audits: Use checklists to inspect areas where physical records are stored.
• Access Control Systems: Implement badge readers or biometric systems to control entry to record storage areas.

Technical Steps to Resolve:

• Install Surveillance Cameras: Monitor sensitive areas with CCTV for unauthorized access.
• Secure Storage Solutions: Locked filing cabinets and safes store PHI.
• Access Logs: Maintain logs of individuals entering secure areas.

Estimated Implementation Costs:

• Surveillance Systems: $1,000–$5,000 for installation.
• Access Control Systems: $2,000–$10,000 depending on scope.
• Secure Storage: $500–$2,000 per unit.

15. Unauthorized Sharing of PHI

Sharing PHI with family members or friends of patients without proper authorization is a clear violation of HIPAA. Always obtain explicit consent from the patient before sharing their information.

How to Validate:

• Communication Monitoring: Use DLP solutions to monitor emails, messages, and other communications for unauthorized PHI sharing.
• Audit Trails: Review access and disclosure logs to track PHI-sharing activities.

Technical Steps to Resolve:

• Consent Verification Systems: Implement electronic consent management to verify patient authorizations.
• Restrict Data Exports: Limit the ability to export or copy PHI from systems.
• Automated Warning Banners: Display warnings when users attempt to share PHI externally.

Estimated Implementation Costs:

• Consent Management Systems: $5,000–$20,000 annually.
• DLP Solutions: $5,000–$20,000 annually.
• System Configuration: Minimal direct costs.

16. Failure to Report Breaches

Not reporting data breaches involving PHI within the required time frame is a significant violation. Have a clear breach notification policy in place and ensure that all staff know the steps to take if a breach occurs.

How to Validate:

• Incident Management Systems: Use platforms to track incidents and responses.
• SIEM Alerting: Configure SIEM tools to flag potential breaches for immediate investigation.
• Breach Impact Assessment Tools: Implement solutions to determine the number of individuals affected quickly.

Technical Steps to Resolve:

• Establish an Incident Response Plan: Define procedures, responsibilities, and timelines for breach reporting, including:some text
  • 60-day maximum reporting timeline for all breaches.
  • Expedited processes for breaches affecting 500+ individuals.
  • Documentation requirements for minor breaches.
• Automate Notifications: Set up systems to automatically notify compliance officers when a breach is detected.
• Regular Drills: Conduct simulated breach scenarios to test and improve response processes.
• Reporting Templates: Maintain pre-configured templates for different types of breach notifications.

Estimated Implementation Costs:

• Incident Management Software: $10,000–$50,000 annually.
• Training and Drills: Variable costs based on scope.
• Consultation Services: $5,000–$20,000 for policy development.

17. Using Public Wi-Fi

Accessing or transmitting PHI over unsecured public Wi-Fi networks is a significant risk. To protect PHI from unauthorized access, always use secure, encrypted networks.

How to Validate:

• VPN Usage Monitoring: Ensure that all remote connections to PHI systems require VPN access.
• Network Authentication Logs: Analyze logs to detect connections from unsecured networks.

Technical Steps to Resolve:

• Enforce VPN Use: VPNs with strong encryption (e.g., SSL/TLS) are required for remote access.
• Disable Split Tunneling: Prevent devices from accessing the internet and corporate network simultaneously without protection.
• Secure Hotspots: Offer secure mobile hotspots for staff needing remote access.

Estimated Implementation Costs:

• VPN Solutions: $5–$10 per user/month.
• Secure Hotspots: $50–$100 per device plus data plans.
• Policy Enforcement Tools: This may be included with existing security solutions.

18. Inadequate Audit Controls

Lack of proper audit controls to monitor access and use of PHI can lead to undetected breaches. Implement comprehensive audit logs and regularly review them to ensure compliance and detect unauthorized access.

How to Validate:

• Audit Log Reviews: Regularly review system logs for completeness and accuracy.
• Compliance Monitoring Tools: Use software to ensure audit logs are properly maintained.
• Retention Verification: Implement tools to verify that logs are retained for the minimum 6-year period.

Technical Steps to Resolve:

• Centralize Logging: Implement centralized logging solutions like syslog servers or ELK Stack.
• Log Retention Policies: As required by HIPAA, define and enforce 6-year minimum retention policies for all audit logs.
• Real-Time Monitoring: Use dashboards and alerts to monitor access to PHI in real-time.
• Secure Log Storage: Implement encryption and access controls for audit logs containing PHI.

Estimated Implementation Costs:

• Logging Solutions: $5,000–$20,000 annually.
• Storage Costs: Variable, based on data volume.
• Monitoring Tools: These may be included in SIEM solutions.

19. Ignoring Patient Requests for Records

Failing to provide patients with access to their records within the required time frame violates their rights under HIPAA. Ensure that your organization has a process to respond to patient requests for documents promptly.

How to Validate:

• Request Tracking Systems: Use CRM or case management tools to log and track patient record requests.
• Audit Trails: Review logs to ensure requests are fulfilled within the mandated time frames (generally 30 days).

Technical Steps to Resolve:

• Automate Request Processes: Implement online portals where patients can request and track access to their records.
• Set SLA Alerts: Configure systems to alert staff when deadlines for requests are approaching.
• Integrate EHR Systems: Ensure electronic health record (EHR) systems facilitate easy retrieval and sharing of patient records.

Estimated Implementation Costs:

• Patient Portals: $10,000–$50,000 for development and integration.
• CRM Systems: $50–$150 per user/month.
• EHR Integration: Variable costs based on existing systems.

20. Insecure File Sharing Services

Using non-compliant file-sharing services to exchange PHI can lead to data breaches. Ensure that any file-sharing service is HIPAA compliant and has signed a BAA, providing the necessary security and encryption for PHI.

How to Validate:

• Network Traffic Analysis: Monitor for the use of unauthorized file-sharing services using security tools.
• Endpoint Protection: Use endpoint security solutions to block installation or access to non-compliant file-sharing apps.

Technical Steps to Resolve:

• Deploy Secure File Sharing Solutions: Use HIPAA-compliant services like Box for Healthcare or Citrix ShareFile with appropriate security configurations.
• Enforce Whitelisting: Configure firewalls and proxy servers to allow only approved file-sharing domains.
• Educate Users: Train staff on the approved methods for sharing PHI files.

Estimated Implementation Costs:

• Secure File Sharing Services: $15–$30 per user/month.
• Endpoint Protection: $20–$50 per endpoint/year.
• Firewall Configuration: Minimal direct costs.

Additional Implementation Requirements

Documentation and Risk Assessment:

• Maintain Written Policies and Procedures: Document all technical controls and security measures.
• Conduct Annual Risk Assessments: Identify potential vulnerabilities and address them proactively.
• Update Documentation Regularly: Review and update after any significant system changes.
• Record Security Incidents: Keep detailed records of all incidents and responses.
• Technical Configuration Documentation: Maintain comprehensive records of system configurations.

Periodic Evaluations:

• Quarterly Access Reviews: Assess user permissions and adjust as necessary.
• Annual Penetration Testing: Perform tests to identify security weaknesses.
• Disaster Recovery Testing: Conduct bi-annual tests of backup and recovery procedures.
• Vendor Evaluations: Review third-party compliance annually.
• Training Program Assessments: Evaluate the effectiveness of security awareness programs.

Cost Considerations:

Implementation costs vary based on organization size and complexity:

• Small Practice (1–10 providers): $20,000–$50,000 annually.
• Medium Practice (11–50 providers): $50,000–$200,000 annually.
• Large Practice (50+ providers): $200,000+ annually.

Key Cost Factors Include:

• Security Software and Tools
• Staff Training and Certification
• Third-Party Assessments
• Ongoing Monitoring and Maintenance
• Incident Response and Breach Management

Conclusion

HIPAA compliance is an ongoing process that requires regular updates and adjustments as technology and threats evolve. Organizations should review and update their technical controls at least annually or whenever significant changes occur in their technology environment.

Stay vigilant, stay compliant, and prioritize your patients' information security.

Note: Pricing information is approximate and may vary based on organization size, specific needs, and vendor pricing models. Prices were checked in December 2024. Contacting vendors directly is recommended for the most accurate and up-to-date pricing.