Notifications
Clear all
Topic starter
08/06/2026 4:53 pm
TL;DR: HIPAA violations often stem from weak access controls, missing training, unsecured devices, and poor vendor oversight, while OCR investigations and audits continue to surface failures across covered entities and business associates, according to StrongDM’s compliance guide. The governance lesson is clear: PHI protection depends as much on identity discipline and access logging as on policy language.
NHIMG editorial — based on content published by StrongDM: What Is a HIPAA Violation? 12 Most Common Examples
By the numbers:
- In 2022 alone, more than 40 million health records were compromised.
Questions worth separating out
Q: How should healthcare organisations reduce HIPAA violations tied to access control?
A: Focus on limiting who can reach PHI, why they can reach it, and how that access is recorded.
Q: Why do business associate relationships create HIPAA risk?
A: Because vendors often receive real access to PHI, not just contractual obligations.
Q: What breaks when employees share PHI through unsecured tools?
A: The organisation loses control over who can see, copy, or forward the data, and it may also lose the ability to prove whether the disclosure was authorised.
Practitioner guidance
- Lock PHI access to explicit business purpose Require approval, documented purpose, and session logging before any user can access patient records outside routine treatment workflows.
- Bind vendor access to business associate agreements Do not allow contractors, processors, or support vendors to touch PHI unless the agreement, scope, and revocation process are all in place.
- Review access logs for unauthorized viewing patterns Look for after-hours access, repeated record lookups, bulk downloads, and access to charts unrelated to the user’s assigned duties.
What's in the full article
StrongDM's full compliance guide covers the operational detail this post intentionally leaves for the source:
- Step-by-step HIPAA violation categories mapped to daily workplace behaviours and access decisions.
- OCR reporting, complaint handling, and self-reporting workflow details for suspected breaches.
- Specific examples of employee, contractor, and vendor mistakes that create reportable PHI exposure.
- Practical access-management guidance for teams trying to reduce HIPAA violations in healthcare systems.
👉 Read StrongDM's guide to the 12 most common HIPAA violations →
HIPAA violation examples: what IAM teams should tighten first?
Explore further
08/06/2026 6:46 pm
HIPAA violation prevention is fundamentally an identity governance problem. The article’s examples consistently point back to access scope, training, logging, and third-party control rather than isolated compliance mistakes. That is why healthcare programmes should treat PHI protection as a governance system spanning people, devices, and vendors.
A few things that frame the scale:
- 73% of vaults are misconfigured, leading to unauthorised access and exposure of sensitive data, according to Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
A question worth separating out:
Q: Who is accountable when a HIPAA breach happens?
A: Accountability usually sits with the covered entity, and sometimes with the business associate, depending on where the failure occurred. OCR can investigate both, so organisations need clear ownership for access control, training, vendor governance, and breach reporting before an incident happens.
👉 Read our full editorial: HIPAA violations expose access governance gaps in healthcare identity
