A HIPAA compliance violation is any act or omission by a HIPAA Covered Entity or HIPAA Business Associate that fails to meet a requirement, standard, implementation specification, or prohibition in the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, or related enforcement requirements, including impermissible uses or disclosures of protected health information and failures to implement required administrative, physical, or technical safeguards.
Violations under the HIPAA Privacy Rule include using or disclosing protected health information without a permitted purpose or a valid authorization, failing to apply the HIPAA Minimum Necessary Rule where it applies, and failing to provide required individual rights such as access to records within required timeframes, an accounting of disclosures when applicable, or a compliant Notice of Privacy Practices. Privacy Rule violations also include disclosing protected health information to a vendor or service provider that meets the definition of a Business Associate without a compliant business associate agreement.
Violations under the HIPAA Security Rule include failing to conduct an accurate and thorough risk analysis for electronic protected health information, failing to implement reasonable and appropriate risk management measures, and failing to apply access controls, audit controls, integrity protections, and transmission security consistent with the organization’s environment. Security failures can also include weak authentication practices, uncontrolled shared accounts, inadequate device and media controls, and insufficient workforce security procedures when those gaps create impermissible access to electronic protected health information.
Violations under the HIPAA Breach Notification Rule include failing to provide required notifications to affected individuals, the Department of Health and Human Services, and, when applicable, the media after a breach of unsecured protected health information, or providing notifications outside required time limits. Documentation failures can also constitute noncompliance, including missing policies and procedures, incomplete training records, absent sanction policy enforcement, and failure to maintain required written documentation for the required retention period.