top of page

How to Avoid These 8 Most Common HIPAA Violations

Healthcare organizations specializing in medical billing and collections need access to sensitive patient health information to perform their duties. However, they must follow HIPAA medical billing rules while doing so.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that protects sensitive health information from being disclosed without consent. While it is necessary for all covered entities to adhere to HIPAA Privacy and Security Rules, the law’s complicated nature and lack of clarity can lead to violations.

The Most Common HIPAA Violations and How to Avoid Them

Practice Solutions understands the complexity and ever-evolving field of mental health billing. This free therapy intake form template provides an example of all the health information collected for your files. Just the same as staying up-to-date on insurance billing regulations and requirements, all covered entities must stay up-to-date on HIPAA.

Mental health providers and business associates must be aware of HIPAA violations and how to avoid them to ensure that their practices run smoothly and are not subject to financial or criminal fines.

According to the HIPAA Journal, the most common HIPAA violations that incur financial penalties are:

1. Improper Disposal of Protected Health Information (PHI)

Failing to appropriately dispose of files that contain PHI (any type of individually identifiable health information) is one of the most overlooked breaches. Simply throwing away physical files or deleting electronic files in which sensitive information can still be accessed is a violation.

HIPAA regulations specify that all healthcare organizations, including telehealth organizations, need to have best practices for disposing of medical data. Best practices could include:

  • Destroy or wipe all portable devices, such as USBs, hard drives, and laptops, that store PHI

  • Routinely conduct pulping or shredding of physical paper copies that contain PHI

2. Failure to Complete an Organization-Wide Risk Analysis

Organization-wide risk analyses are used to help healthcare organizations identify any vulnerabilities or flaws in their security measures and systems. This ensures they meet HIPAA compliance and improve confidentiality standards.

Neglecting to conduct risk analyses leaves systems and practices open to various threats, such as data breaches and unauthorized access or disclosure of PHI.

An appropriate organization-wide risk analysis includes the following:

  • Examining incident response plans

  • Evaluating employee training

  • Routinely auditing for network vulnerabilities and security flaws

  • Implementing authentication protocols

  • Identifying cyber threats

3. Employees Prying on Healthcare Records

HIPAA's Privacy Rule only allows access to PHI (physical and electronic) for specific reasons such as payment, treatment, and healthcare operations. It is a HIPAA violation if a patient's healthcare information is accessed for any other reason.

Unauthorized access to healthcare records is a widespread HIPAA violation that still occurs. A common example includes employees looking through healthcare records of their family, friends, colleagues, or celebrities without authorization.

In order to prevent employees from snooping on healthcare records, organizations should ensure that adequate access control for both electronic and physical health records is implemented.

Practice Solutions has policies in place that ensure compliance with HIPAA Privacy rules. Our billers only have access to information pertinent to insurance billing; they do not have the same access to PHI that providers do. We take great care to make sure that your practice is maintaining compliance while utilizing our billing services.

4. Failure to Enter a Business Associate Agreement (BAA) With Third-Party Contractors

Most healthcare organizations work with third-party companies, which are granted access to PHI. As all companies that handle PHI are required to be HIPAA compliant, healthcare organizations and third-party entities must enter a Business Associate Agreement (BAA) before accessing PHI.

Healthcare organizations that do not enter into BAAs with their business associates are left vulnerable to penalties for HIPAA violations. Appointing an employee to maintain and assure these contracts are signed and the BAA process is HIPAA compliant is key.

At Practice Solutions, our goal is to protect the privacy and security of PHI and ease medical billing for mental health practices. Mental health providers can be reassured that we are fully compliant with HIPAA and sign a trading partner agreement with all our vendors.

5. Insufficient ePHI Access Controls

The HIPAA Security Rule requires all covered entities and business associates to restrict the access of electronic PHI (ePHI) to only authorized individuals. The HSS has specified that insufficient access controls for protecting PHI is one of the most common HIPAA violations.

Digital medical records have their own vulnerabilities and risks that need to be addressed to secure them properly. To avoid unauthorized personal (e.g., insider threats, cybercriminals) accessing ePHI, healthcare organizations should:

  • Use temporary authorization codes to ensure only authorized personnel have access

  • Use two-factor authentication

  • Implement security risk measures

  • Implement practice management software with built-in security features like continuous activity monitoring

6. Failure to Report a Data Breach Within 60 Days

All covered entities are required to report any data breaches as soon as they are discovered without unnecessary delay. The HIPAA Breach Notification Rule defines "unnecessary delay" as no later than 60 days.

To avoid this HIPAA violation from occurring, healthcare organizations should:

  • Outline a standard internal reporting policy to relevant officials

  • Ensure that all data breaches (over 500 people) are sent to the Office for Civil Rights (OCR)

  • Report the breach to the media, if required

  • Post notification of the breach on the organization's website, if needed

7. Lost Devices

One of the most frequent ways that PHI is disclosed or accessed by unauthorized personnel is through lost or stolen devices. Devices include USBs, hard drives, laptops, tablets, and smartphones.

To avoid lost or stolen devices, healthcare organizations need to implement the following:

  • Report lost or stolen devices

  • Use device-tracking software that is encrypted

  • Encrypt all devices

  • Implement employee training on appropriate device storage and handling policies

  • Utilize physical device security (e.g., physical sign-in and sign-out procedures)

8. Delaying or denying a patient access to their health records

Although this is not as common as other violations, denying or delaying a patient's health records access is considered a major HIPAA violation. All healthcare providers must provide patients with their healthcare records within 60 days if requested.

Avoiding this HIPAA violation is relatively easy, as it can be resolved with best practices that allow the provider's administration to respond to patients' requests timeously.


At Practice Solutions, we provide medical billing solutions and services to mental and behavioral health providers. We aim to take care of your billing and insurance so you can focus on providing the best care to your patients.

Keep your practice running effectively and efficiently with our help. Contact us today to learn more.


Recent Posts
Search By Tags
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • LinkedIn
bottom of page