Suspect a HIPAA violation? Here's what to do

HIPAA mandates that healthcare providers safeguard patients’ protected health information (PHI). However, PHI breaches can and do occur through unauthorized disclosures, improper handling of data, or insufficient security measures.

Not all providers adhere to HIPAA policies

According to an Informed Clinical Informatics study on Information Security Awareness and Behaviors of Health Care Professionals at Public Health Care Facilities:

• Only 63% of healthcare workers reported being informed of their organization's security policies.
• 65% knew the proper procedures for handling and discarding confidential patient records.
• 74% of respondents reported actively safeguarding PHI from unauthorized access. 

These numbers suggest that many healthcare providers are either ignoring or inadequately following HIPAA policies. This creates vulnerabilities, possibly exposing patient PHI to potential data breaches that lead to HIPAA violations.

What constitutes a HIPAA violation?

HIPAA violations can happen in different ways, and some of the most common violations include:

• Unauthorized disclosure via email or social media: When healthcare providers accidentally or intentionally share PHI through unsecured email or on public social media platforms. 

For example, in November 2024, Option Care Health (OCH) experienced a data breach due to unauthorized access to an employee's email account.

• Inappropriate access: Healthcare workers access medical records without a legitimate reason or authorization. 

Like, the 2008 case where University of California, Los Angeles (UCLA) Medical Center employees accessed singer Britney Spears’s psychiatric medical records without a valid reason.

• Loss of sensitive data: Healthcare providers lose devices (like unencrypted laptops or USB drives) containing PHI. 

For example, in October 2024, Walgreen Co. suffered a data breach after an unauthorized user accessed a laptop with sensitive patient data.

• Unintended exposure: Healthcare providers discussing someone’s health status aloud in shared spaces, or an employee commenting publicly about your condition.

As evidenced in the 2016 New York-Presbyterian Hospital (NYP) case where the hospital allowed a television film crew to record footage within its facilities without obtaining prior patient authorization.

Ultimately, if a patient believes that a healthcare provider didn’t uphold their legal obligations, they must know how to file complaints, report such incidents, and understand the potential legal outcomes.

What to do if you suspect a violation

1. Document the incident 

When a patient suspects a HIPAA violation, they must keep detailed records of the incident, including:

• Date and time of the incident.
• Names of individuals involved (e.g., provider, staff member, or unauthorized third party).
• A detailed description of what happened (e.g., was an email sent containing personal information?).
• Any evidence (e.g., screenshots of emails or social media posts, written testimonies from witnesses).

2. Report the violation to the healthcare provider

Once the patient has documented the violation they must report it directly to their healthcare provider. More specifically, they should contact the provider's privacy officer responsible for HIPAA matters. 

Patients should request an internal investigation that includes:

• An explanation of how the breach occurred.
• What corrective actions will be taken to prevent future violations?
• Whether the organization will be retraining staff or improving security systems.

If the provider dismisses these concerns, the patient can file a formal complaint with the HHS Office for Civil Rights (OCR).

3. File a formal complaint with the HHS

Per the OCR’s Complaint Requirements, patients must:

• File the complaint “in writing by mail, fax, e-mail, or via the OCR Complaint Portal.
• Name the covered entity or business associate involved, and describe the acts or omissions, you believed violated the requirements of the Privacy, Security, or Breach Notification Rules.
• Be filed within 180 days of when you knew that the act or omission complained of occurred,” which can be extended if the OCR finds "good cause."

If the patient is unsure whether the incident violates HIPAA, the OCR encourages them to “go ahead and file [their] complaint.” The OCR will then investigate the complaint and “impose penalties if the provider is found to be non-compliant.”

4. Legal implications of a HIPAA violation

HIPAA violations carry serious legal consequences even when no harm was ‘knowingly’ intended. So, a healthcare provider doesn’t have to intend to break the law to be held legally responsible. The law only requires proof that the person knew the facts that led to the violation, even if they didn’t realize those facts resulted in a breach.

This interpretation was clarified in a Memorandum Opinion discussing  the U.S. Supreme Court in the Bryan v. United States case (524 U.S. 184, 1998) stating, “The term ‘knowingly’ merely requires proof of knowledge of the facts that constitute the offense.”

For example, if a healthcare worker knows they’re emailing a document with patient names and Social Security numbers, the law mandates that they protect this data. 

Furthermore, ignorance of the law is not a defense if the individual understands the underlying facts. The Memorandum explains, “There is nothing obviously absurd about the statute’s allowing a defense of reasonable ignorance of the law for those regulatory violations subject to [a] civil penalty, but withholding this defense with respect to those violations that threaten the privacy of individuals.” 

Ultimately, healthcare providers must implement administrative, physical, and technical safeguards to protect patient PHI and avoid potential civil and criminal penalties.

Read more: The complete guide to HIPAA violations

5. Consider legal action

HIPAA doesn’t allow patients to directly sue providers for violations. However, state privacy laws or professional negligence claims could be another avenue for legal recourse. If someone has suffered financial or emotional harm due to a violation, they could consult an attorney specializing in healthcare privacy.

A recent example of such litigation involves Progressive Casualty Insurance Company data breach, where an employee of a third-party vendor shared access credentials with unauthorized individuals. 

With over 347,000 individuals’ PHI exposed, including names, addresses, and driver's license numbers, Progressive has been sued in a class action suit. 

The plaintiffs allege that the breach was “massive and preventable” and was a result of Progressive's inadequate data security procedures. The breach may have exposed victims to significant risks, including identity theft and financial harm. Progressive has denied any wrongdoing but eventually settled the case for $3.25 million.

6. Protect your information

Monitor medical records for suspicious activity, review medical notes, visit summaries, lab results, and updates to your personal or insurance information, especially, checking for new diagnoses, prescriptions, test results, or unauthorized insurance information.

If you spot inaccuracies, contact your provider immediately and request an audit trail to see who accessed your records and when.

Request copies of your health records and privacy documentation. More specifically, The HIPAA Privacy Rule gives patients the right to obtain:

• A complete copy of their health record, including billing, imaging, clinical notes, and electronic communications referencing care.
• A record of who accessed your data, including internal staff or external entities (like billing vendors or labs).
• A copy of the provider’s Notice of Privacy Practices, which outlines how PHI is used and disclosed.

Patients can request this information in writing. If the provider delays or denies the request without proper justification, the patient must escalate the matter to the OCR.

7. Check for unusual billing activity

Patients can review their insurer’s Explanation of Benefits (EOBs) and match them against known visits. They should specifically check services they didn’t receive, chargers from unfamiliar providers or facilities, multiple claims for the same service, or conflicting dates.

Patients can also request itemized statements from your provider’s billing department. If discrepancies appear, they must contact the provider and the insurance company.

8. Place fraud alerts or credit freezes 

If an individual’s Social Security number, driver’s license, insurance member ID, or financial information is exposed, they must contact one of the three major credit bureaus (Equifax, Experian, or TransUnion). That bureau must then notify the other lenders to verify their identity.

Placing a credit freeze will block new creditors from accessing the individual’s credit report, especially if the health data was linked to identifying information, as it increases your risk of financial and medical identity theft.

Additional tips

Patients should contact their provider’s office manager, privacy officer, or IT department and ask:

• Whether the organization uses encrypted email solutions, like Paubox, for patient communication.
• What safeguards are in place to protect electronic health records?
• Has the organization completed a risk analysis and security audit in the past year?
• How do they ensure third-party vendors (labs, billing services, etc.) follow HIPAA standards?

Learn more: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

Can my family access my health information?

Only if you give them permission. Under HIPAA, your healthcare provider can share your health information with a family member, friend, or caregiver only when you give verbal or written consent, or when you’re present during the discussion and don’t object. If you're unconscious or unable to make decisions, the provider may use their professional judgment to determine if sharing certain information is in your best interest. 

Can I ask for my health records in a digital format?

Yes, you can request your medical records in the format you prefer, like electronic or paper copies. HIPAA requires providers to accommodate your request if they can do so without significant difficulty.

If your provider cannot produce the records in your preferred format, they must offer an accessible alternative. They are also required to respond to your request within 30 days and may only charge reasonable fees that cover the cost of copying, mailing, or preparing the records. If your provider refuses or delays without a valid reason, this may be a HIPAA violation.

What are the penalties for violating HIPAA?

​As of March 2025, HIPAA violations incurs fines from $141 to $2,134,831 per violation, depending on culpability. 

Tier 1 penalties apply to unintentional violations ($141–$35,581), while Tier 2 covers breaches due to reasonable cause ($1,424–$71,162). Tier 3 applies to willful neglect corrected within 30 days ($14,232–$71,162), and Tier 4 penalizes uncorrected willful neglect with the highest fines ($71,162–$2,134,831). 

These fines adjust annually for inflation, and severe cases may result in criminal charges, reputational harm, and mandatory corrective actions.