HIPAA violations don't always involve hackers or malicious insiders. Some breaches come down to everyday administrative errors such as a misdirected fax, a forgotten device, a wrongly addressed envelope. Under the Health Insurance Portability and Accountability Act (HIPAA), any unauthorized disclosure of a patient's protected health information (PHI) is a violation, whether it was intentional or not. PHI includes anything that can link a person to their health data names, diagnoses, medications, billing records, and more. The five examples below show how easily these violations happen, and why the consequences tend to catch organizations off guard.

 

1. The fax machine that won't die

A wrong digit gets dialed, and a patient's lab results land in the inbox of an unrelated business. Nobody hacked anything, someone just typed "5" instead of "6." This happens so often that "misdirected fax" is its own category in HHS breach reports.

Take what happened at OhioHealth's Grant Medical Center in Columbus. A transposed digit in one patient's record meant a local resident kept getting faxes containing someone else's name, weight, age, diagnosis, and medication list. Not once, but repeatedly, over a period of months, because nobody traced the root cause until a local news station got involved. The hospital eventually corrected the number and apologized, but the case shows how certain actions can result in a violation with no hacker, no insider threat, just one wrong digit that nobody caught for half a year.

And when the same mistake involves more sensitive information, the clerical error can lead to financial penalties . Mount Sinai St. Luke's Hospital in New York had already paid a $387,200 HIPAA settlement after staff faxed a patient's HIV and mental health information to his workplace and to a place where he volunteered. The patient later sued for $2.5 million, saying the disclosure caused him enough distress that he quit his job.

Learn more: Can I send a HIPAA compliant fax? Yes, but you should use email instead

 

2. The sign-in sheet at the front desk

According to HHS's own FAQ guidance, physician's offices are allowed to use sign-in sheets and even call out patient names in waiting rooms, the Privacy Rule treats the exposure as an incidental disclosure, not a violation, as long as the practice is reasonably safeguarded and limited to what's actually necessary.

The part that turns this from "fine" into "violation" is what gets written on the sheet. HHS is specific that the sign-in sheet shouldn't include more details than what is needed for checking in, for instance, the reason for the visit. So the failure isn't the sign-in sheet itself, it's the front desk that lets staff write down a diagnosis code or a visit reason in the same column where the next patients can read it.

Read also: What providers must know about HIPAA and patient sign-in sheets

 

3. The computer nobody logged out of

In 2010, New York-Presbyterian Hospital and Columbia University Medical Center paid a combined fine of $4.8 million, at the time, the largest HIPAA fine ever issued. A physician who developed applications for both institutions tried to deactivate a personally owned server on their shared network. He wasn't trying to expose anything ,he was trying to shut a server down but because the right technical safeguards weren't in place, taking that one server offline left the electronic health records of 6,800 patients accessible on the open internet. The breach only came to light after someone searched online and found their deceased partner's medical records sitting in Google's search results. A routine deactivation, turned into one of the most expensive privacy failures in HIPAA's history simply because the safety net underneath it didn't exist.

 

4. The EOB that goes to the wrong house

Explanation of Benefits forms get mailed constantly, and they contain details such as provider names, procedure codes, sometimes diagnosis-adjacent information. They get sent to old addresses, to the policyholder instead of the dependent who actually received care, or to a house where the mail carrier just put it in the wrong box.

Sentara Hospitals in Virginia is a good example of this type of violation, a patient complained to HHS after receiving a bill that had someone else's health information enclosed. When investigators looked into it, they found the real problem wasn't a single mixed-up envelope, it was a mail-merge error that paired billing statements for 577 patients with the wrong guarantor mailing labels out of a batch of over 16,000. Nobody breached a server or stole a device, a label file just lined up wrong against a billing file, and patients' information ended up in the wrong envelopes. The hospital system paid over $2 million to resolve the matter.

 

5. The missing device

Someone leaves a work tablet on a seat during a flight, forgets a USB drive at a hotel business center, or sets a phone down at a conference and walks away without it. No attacker or no insider threat just a moment that federal law requires you to report.

The Lifespan case is a good example, an employee's car was broken into and a work laptop was stolen from it. The laptop contained cached work emails containing patient names, medical record numbers, partial addresses, and medication information for over 20,000 people. Lifespan paid just over $1 million to resolve the case.

Lost and misplaced devices can also be common. A USB drive left in a public computer, a shared tablet that never made it back from a home visit, a phone without a PIN that slipped out of a pocket on the commute home. The device is just gone, and with it, whatever it was carrying.

The real problem isn't that devices get stolen or lost. It's that organizations often don't know which devices can access patient data, who has them, or where they are — until one goes missing.

Read also: Mitigating and avoiding personal device vulnerabilities

 

FAQs

What should a patient do if they suspect their health information was exposed?

Patients can file a complaint directly with the HHS Office for Civil Rights (OCR), which investigates potential HIPAA violations and can compel corrective action from the covered entity.

 

How long do organizations have to report a HIPAA breach?

Covered entities must notify affected individuals within 60 days of discovering a breach, and breaches affecting 500 or more people must also be reported to HHS and local media without unreasonable delay.

 

Can employees be personally penalized for HIPAA violations?

Yes, individuals who knowingly obtain or disclose PHI without authorization can face criminal penalties, including fines and imprisonment.

 

Does HIPAA apply to information shared verbally?

Yes, HIPAA covers verbal disclosures of PHI, meaning conversations about a patient's health in earshot of unauthorized parties can constitute a violation.