Top 5 HIPAA Violations (and How to Avoid Them)

HIPAA violations don’t just happen to hospitals and big health systems. Small medical practices, billing services, dental offices, and even IT providers can find themselves in hot water over overlooked details. And the penalties? They can be steep—up to $50,000 per violation.

Below are the five most common HIPAA violations we see, along with real steps your business can take to avoid becoming the next cautionary tale.

1. Unsecured Email and File Sharing

The Violation: It’s all too easy to fire off a quick email with a patient name, date of birth, or other PHI—but if that email isn’t encrypted, you’ve just committed a HIPAA violation. Similarly, uploading sensitive data to tools like Dropbox, Google Drive, or iCloud—without a business associate agreement (BAA) or security configurations—puts you at serious risk.

How to Avoid It: Use platforms specifically designed for HIPAA compliance, like Microsoft 365 with encryption policies and secure email add-ons. Always sign a BAA with any cloud vendor handling PHI, and train staff to never send patient information via personal email or unsecured apps.

2. Inadequate Employee Training

The Violation: HIPAA regulations require you to train your workforce—but many businesses skip this step or only offer a brief onboarding session. The result? Employees fall for phishing emails, mishandle sensitive documents, or talk about patient information in public areas—all of which are serious violations.

How to Avoid It: Provide comprehensive HIPAA training when employees are hired—and at least annually after that. Incorporate phishing simulations, real-world scenarios, and quick refresher modules throughout the year. Everyone, from front-desk staff to contractors, should know exactly how to handle PHI securely.

3. Weak Passwords and No Multi-Factor Authentication (MFA)

The Violation: If your staff is logging into electronic health systems, billing platforms, or email accounts with “Welcome123,” that’s a big red flag. Weak or reused passwords, especially without MFA, make it incredibly easy for hackers to break in—and PHI is a prime target.

How to Avoid It: Enforce strong password policies across the board. Require long, complex passwords that are changed regularly. Better yet, implement a password manager to reduce reuse. And most importantly, turn on MFA for every account that touches PHI—this one step can stop over 99% of credential-based attacks.

4. Lost or Stolen Devices Without Proper Protections

The Violation: A single lost laptop or phone can be a HIPAA disaster—especially if it contains unencrypted files, saved logins, or access to cloud-stored PHI. We’ve seen cases where a stolen laptop led to fines in the six-figure range because encryption wasn’t in place.

How to Avoid It: All mobile devices—laptops, smartphones, tablets—should be encrypted and password-protected. Enable full disk encryption (like BitLocker for Windows or FileVault for Mac), and implement remote wipe capabilities through mobile device management (MDM) tools. Employees should never store PHI locally unless absolutely necessary—and even then, only on encrypted devices.

5. Missing or Outdated Risk Assessments

The Violation: One of the most overlooked HIPAA requirements is the Security Risk Assessment (SRA). If you’ve never conducted one—or if your last one was three years ago—you’re likely out of compliance. And in the event of a breach, the Office for Civil Rights (OCR) will absolutely ask for this documentation.

How to Avoid It: Schedule an annual SRA and repeat it any time you add new technology, locations, or vendors. A thorough assessment evaluates your systems, identifies vulnerabilities, and helps prioritize remediation steps. It also shows regulators that you’re taking HIPAA seriously, which can reduce fines if something does go wrong.

Final Thoughts: Protecting PHI Is Everyone’s Job

HIPAA compliance isn’t just about avoiding fines—it’s about protecting the privacy, trust, and safety of the people you serve. These common violations often come down to human error or small oversights—but with the right policies, training, and technology, you can avoid them entirely.

At Encompass IT, we help healthcare providers and covered entities across Connecticut and Massachusetts stay compliant, secure, and prepared for audits or assessments. If you're unsure where your gaps are, let’s talk. Book a discovery call with an IT consultant today.