Any action on the part of a covered entity or its business associates that allows unauthorized access to a consumer's identifiable medical information is a HIPAA violation, says the U.S. Department of Health and Human Services. This includes everything from allowing access to a patient's chart to a data breach.
The DHHS cites a number of specific examples of HIPAA violations that occurred in 2014. In one case, an unencrypted laptop was stolen from the physical therapy department of a health care provider, resulting in the theft of an unknown number of patient medical records. In another, a nursing home dumped 71 boxes of medical records in the driveway of a physician's home, in full view of the public and accessible to anyone who walked by. Several other cases involved the theft of unencrypted or improperly secured patient data, which is the most common cause of HIPAA complaints, says Online Tech. However, simple employee errors, such as talking about a patient's condition in a way that can be overheard by another person, or providing health information to a family member without a patient's express consent, also constitute HIPAA violations, Online Tech explains.
The Health Insurance Portability and Privacy Act applies to all health plans, health care providers and many of the businesses that supply administrative support in the health care field, such as billing companies and companies that store and destroy medical records, explains the DHHS. These so-called covered entities are forbidden by law to allow third-party access to a consumer's identifiable medical information or any other information protected by federal privacy laws without the consumer's consent.