hipaa violations

How to Handle HIPAA Violations

A patient’s medical history is immensely valuable. As a healthcare provider, it’s an essential duty on your part to protect against any violations of patient privacy. Unfortunately, this isn’t always possible. 

Even the best of offices can fall victim to an information breach. Skilled hackers constantly prowl the internet to find people’s medical data. Sometimes your networks can’t outlast the hackers. 

Other times, it may be your staff messed up and broke confidentiality. Whatever the case may be, it’s important to know how to handle HIPAA violations when they occur.

If it’s never happened to you before, you may have no clue how to handle HIPAA violations. After all, they should be rare. Nevertheless, as a doctor, you must know what to do in these situations.

Because of this, we’ve compiled this guide on how to handle violations. We hope it helps!


1. How to Handle HIPAA Breaches

Before we begin this section, we cannot stress enough how important it is to prevent HIPAA breaches from happening. Be sure you have sufficient technical, physical, and administrative measures in place to protect your private health information (PHI). 

Also, make sure to regularly hold training for your staff and personnel on HIPAA requirements. This way, everybody in the office is better equipped to prevent such an event from occurring.

Let’s discuss what you need to do in the event of a breach. HIPAA violations can result in fines ranging from $115 to over $50,000 depending on the scale. 

To avoid this, there are actions you can take if you suspect a breach has happened.

Stop the Breach From Continuing

Instant responses can help mitigate or even avoid the damages of a HIPAA breach. These measures include terminating any improper access to PHI and retrieving any disclosed PHI. 

Furthermore, obtain a written assurance from any PHI recipients that they have not used this private information. Take care to document your process for accountability purposes. 

Contact Your Privacy Officer

Secure data has a privacy officer whom you are to contact if anything goes wrong. If a PHI breach happens, contact the privacy officer over that information. That officer will know how best to handle the situation.

Respond Immediately

If you suspect a breach to have happened, you must react as soon as possible. It’s incumbent on you to mitigate against the breach as much as you can. 

Additionally, if you act decisively, you may be able to prevent further breaches from occurring. This is a pivotal factor in determining whether you have to report the breach.

Lastly, if you can settle the breach and correct the problem within 30 days, you will likely avoid facing penalties.

Hold an Appropriate Investigation

When a breach happens, it’s imperative to confirm all the usual details. Identify both the perpetrators and victims, how the breach happened, when, why, and by what means.

Next, you’ll need to confirm what sort of PHI the perpetrators accessed and in what amounts. Once all of this is done, ensure that it cannot happen again. 

When you hold your investigation, be patient and avoid panicking. Sometimes the investigation reveals that no breach occurred. Because of this, do your best to avoid any rash or rushed action.


HIPPA Patient Complaints

We’ve covered what to do in the event of a breach. However, what do you do when a patient files a complaint about HIPAA violations?

This sort of scenario could arise in several ways. Consider this possibility. Let’s say somebody in your staff emails a patient his requested PHI. However, in so doing he accidentally cc’d another unauthorized person.

It was an honest mistake, but your patient has filed a complaint. Do you know how to handle it? In this section, we’ll advise you on how to deal with situations like this one. 

Respond Promptly

As with a HIPAA breach, a patient’s complaint demands a prompt response. The best thing to do is ask the patient to put their complaint down in writing. When you do so, avoid any action that patients could perceive as retaliatory. 

When the patient has submitted their complaint, you must turn the case over to the privacy officer. The officer will then determine whether a HIPAA violation has taken place.


As with a breach, you should conduct an investigation. Search for the facts and the root cause of the violation.  

As you investigate, pay close attention to your internal policies as your guidelines for whether a violation happened. Also, make sure you interview all staff determined to be involved in the incident. 


If it turns out there was indeed a violation, then you must begin mitigating any damaging effects as soon as possible. The extent to which you can minimize these effects determines whether you must report the case. 

Moreover, successful mitigation also determines whom you must report the case to. Depending on how widespread the violation is, you may need to report the situation to local media or HHS. 

Further Measures

If a violation has happened, you’ll need to consult with HR to determine how to discipline the involved personnel. 

As you continue in the case, follow up with the patient to inform them of the complaint’s resolution. Your privacy officer will handle this update. Lastly, compile your documents and keep track of them for accountability measures.


HIPAA Violations: How to Report Them

If you’re wondering how to report HIPAA violations, you need to consider a few things. What is the scope of the breach? Is only one person involved? Are hundreds? The breadth determines who you must report the situation to.

There are also exemptions, which you can learn more about by reading federal regulations.


Maintain Your Security

As a healthcare professional, you must prevent HIPAA violations as much as possible. Not only is it ethical, but it’s also a lot easier. As you can see, a data breach causes a lot of stress and office turmoil.

To prevent this from happening, invest in HIPAA compliance services today! These services can save you a tremendous amount of stress and help keep your PHI safe.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top