25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Recent Examples of HIPAA Violations in Healthcare

Posted By on Oct 14, 2024

Reviewing recent examples of HIPAA violations in healthcare can help identify trends in non-compliance so that HIPAA covered entities and business associates can implement measures – or adjust workforce training – to mitigate the likelihood of previously unconsidered violation types occurring in their organizations.

The HIPAA Security Rule (164.306(a)) requires HIPAA covered entities and business associates to protect ePHI against any “reasonably anticipated threats or hazards to the security and integrity of such information” and any “reasonably anticipated uses or disclosures of such information that are not permitted or required by [the Privacy Rule]”.

The failure to comply with these implementation specifications are themselves examples of HIPAA violations in healthcare – even if no data breach or impermissible disclosure occurs. But who determines what threats or hazards and uses or disclosures can be “reasonably anticipated”? Sadly, there is no one-size-fits-all answer to this question.

How to Comply with the “Reasonably Anticipated” Requirement

In 2005, HHS’ Centers for Medicare and Medicaid Services (CMS) published a series of guides to help covered entities comply with HIPAA. One of the guides – “Basics of Risk Analysis and Risk Management” – suggests covered entities should compile a list of ALL threats and hazards and then reduce the list to those considered reasonably anticipated.

Although the guide does not define “reasonably anticipated”, it does reference the most common types of risk and violation types, and recommends that covered entities focus on the technical and non-technical “specific characteristics of the entity in relation to each threat category” (i.e., external threats, insider threats, environmental threats, etc.).

The guide also provides advice on determining the likelihood of threat occurrence and the potential impact of the threat. This can help covered entities determine the level of risk for each threat and what “reasonable and appropriate” measures should be implemented to mitigate the likelihood of a HIPAA violation. All decisions based on this advice should be documented to comply with the “reasonably anticipated” requirement.

Other advice provided by CMS includes reviewing external sources of information (i.e., the Internet) to search for technical vulnerability advisories. These most often should be provided (and the vulnerabilities patched) by software vendors, but it may also be worth subscribing to the CISA’s Cybersecurity Alerts news feed.

Past vs Recent Examples of HIPAA Violations in Healthcare

In addition, it can be worth reviewing sources of past vs recent examples of HIPAA violations in healthcare that can help identify trends in non-compliance. These include HHS’ OIG Enforcement Actions webpage, the Archive Section of HHS’ HIPAA Breach Portal, and The HIPAA Journal’s Healthcare Data Breach Reports.

HHS’ OIG Enforcement Actions

Most HHS’ OIG enforcement actions are related to fraud and abuse in healthcare – for example, violations of the False Claims Act or the Anti-Kickback Regulations. However, there are occasions when events which qualify as examples of HIPAA violations in healthcare also appear in enforcement action reports. Recent examples include:

  • In February 2024, John Thropay MD of Arcadia, California, was found guilty of impermissibly using patients’ Protected Health Information (PHI) to fraudulently bill Medicare for hospice services. In August 2024, Thropay was sentenced to 37 months in prison for his role in the fraud.
  • In September 2024, Jamahl Burch of Hampton, Virginia, plead guilty to fraudulently using patients’ PHI to submit claims for personal care and respite care services that were never provided. Burch is due to be sentenced in January 2025 for his role in the $1 million Medicaid fraud.
  • Also in September 2024, Juan Flores of Mission, Texas, was charged with using patients’ PHI without consent to facilitate a fraudulent billing scheme resulting in almost $2 million in Medicaid payments. The charge carries a ten year maximum sentence plus two years for aggravated identity theft.

HHS’ HIPAA Breach Portal Archive

HHS’ HIPAA Breach Portal lists all notified breaches affecting 500 or more individuals. Typically breaches are initially notified with minimal information, and it is only by viewing the web descriptions in the Archive Section of the portal that the events which triggered each breach are apparent. Some of these may have been previously unconsidered in risk analyses. For example:

  • In June 2024, Mass General Brigham Health Plan notified HHS of a data breach attributable to an “Other” “Unauthorized Access/Disclosure”. The breach was actually attributable to a workforce member impermissibly disclosing PHI in an effort to outsource her job duties.
  • In April 2024, Moveable Feast Inc. notified HHS of a data breach attributable to the “Improper Disposal” of “Paper Records”. What actually happened was that paper records containing PHI were put into a recycling bin which was blown over and the paper records scattered by the wind.
  • In December 2023, NYC Health notified HHS of a data breach attributed to “Unauthorized Access” to a “Desktop” computer. Rather than being a sinister external attack, a member of the workforce had inadvertently disclosed the PHI of 3,000 patients when demonstrating his role to a volunteer.

The HIPAA Journal Data Breach Reports

While the HIPAA Journal Data Breach Reports are based on breaches notified to HHS before they are investigated (and therefore lack the granularity of the Breach Report Archive), they can be valuable for comparing past examples of HIPAA violations in healthcare with recent examples of HIPAA violation in healthcare in order to identify trends.

For example, by analyzing trends in the three leading causes of data breaches during April over the past four years, it is possible to determine an increasing trend in failures to secure PHI maintained on network servers, a consistent failure to provide effective email security training, and progress in securing PHI stored on electronic medical records.

Recent Examples of HIPAA Violations in Healthcare - The HIPAA Journal

Not All HIPAA Violations in Healthcare Result in Data Breaches

Although the above sources can be good for finding recent examples of HIPAA violations in healthcare, and can be valuable for identifying trends, it is important to remember that not all HIPAA violations result in data breaches. Indeed, since starting its “Right of Access” initiative in 2019, HHS’ Office for Civil Rights has resolved 48 Right of Access HIPAA violations with financial settlements and civil monetary penalties.

Consequently, it is important that covered entities and business associates review risk analyses periodically to identify threats and hazards – or impermissible uses and disclosures – that previously may not have been “reasonably anticipated”. Organizations that require assistance in conducting or reviewing risk analyses, identifying previously unconsidered violation types, or making changes to a risk management program should seek independent compliance advice.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist