Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.
In 2024, the most common HIPAA compliance issue, according to the Office for Civil Rights (OCR), remains the impermissible use and disclosure of protected health information (PHI).
When violations are identified, the OCR frequently refers cases to the Department of Justice (DOJ) for further action. As of 2024, 2,419 referrals have been made to the DOJ for criminal investigation.
Other Frequently Reported HIPAA Violations
The OCR reports the following as the most commonly alleged HIPAA violations, in order of frequency:
- Impermissible use and disclosure of PHI
- Inadequate safeguards to protect PHI
- Denial of patient access to their own PHI
- Lack of administrative safeguards for electronic PHI
- Use or disclosure of more PHI than necessary (exceeding the “minimum necessary” standard)
Private practices and physicians are among the most frequently cited covered entities in these cases.
What Qualifies as “Impermissible Use and Disclosure”?
The OCR defines this violation to include a variety of unauthorized actions involving PHI, such as:
- Unauthorized Access to PHI – Staff accessing patient records without a valid reason related to treatment, billing, or healthcare operations is a common and serious breach. Access must be role-based and monitored regularly.
- Social Media Violations – Sharing patient information—including images or case details—on social media platforms, even unintentionally, constitutes a clear HIPAA violation. Strict policies must be in place and enforced.
- Lack of Safeguards – Inadequate physical, administrative, or technical protections for both electronic and paper records is another frequent concern. These safeguards are mandated under the HIPAA Security Rule.
- Failure to Obtain Proper Consent or Authorization – Using or disclosing PHI without obtaining appropriate patient consent or authorization can result in noncompliance:
- Consent may be obtained for treatment, payment, or healthcare operations (TPO), but it is not required by HIPAA.
- Authorization is mandatory for disclosures beyond TPO, such as for research or marketing.
All staff must be trained to distinguish between situations that require consent versus those that require formal authorization.
- Insufficient Staff Training – Many HIPAA violations stem from a lack of employee awareness. Staff must be thoroughly trained on HIPAA requirements, their responsibilities, and the potential consequences of noncompliance.
For more information, please reach out to TLD Systems at:
https://www.tldsystems.com
phone: (631) 403 6687
email: [email protected]
