Definition of HIPAA violations
HIPAA violations result when someone fails to comply with the rules defined in the 1996 Federal Health Insurance Portability and Accountability Act (HIPAA). The rules focus on protecting patients’ protected health information (PHI).
There are a wide range of HIPAA violations that can occur when PHI is mishandled. HIPAA violations can be as simple as an employee losing a mobile device with access to PHI to misconfigured IT systems. The main HIPPA rules are:
- HIPAA Privacy Rule
The HIPAA Privacy Rule protects individuals’ PHI and medical records, restricting how they can be used and disclosed without gaining a patient’s authorization. It also grants patients the right to access a copy of, inspect, and request corrections to their medical records.
To avoid HIPAA violations, patients must be given access to the following forms related to the HIPAA Privacy Rule:- Authorization for Use or Disclosure Form
- Notice of Privacy Practices (NPP) Form
- Privacy Complaint Form
- Request for Accounting Disclosures Form
- Request for Restriction of Patient Health Care Information
- Request of Access to Protected Health Information (PHI)
- HIPAA Security Rule
The HIPAA Security Rule regulates the protection of electronic PHI. It defines the standards, methods, and procedures for how electronic PHI can be accessed, stored, and transmitted. There are three safeguard levels of security.
1. HIPAA administrative safeguards make up more than half of the HIPAA Security Rule. The administrative safeguards define how security measures should be selected, developed, implemented, and maintained to protect electronic PHI from threats and vulnerabilities. This includes access controls, incident response, and security awareness training.
2. HIPAA technical safeguards deal with the encryption and authentication methods used to have control over data access. The HIPAA technical safeguards specify what should be implemented to protect electronic PHI from unauthorized access.
This includes systems for user verification and automatic log-off to prevent unauthorized access when devices are left unattended. The HIPAA technical safeguard specifies that encryption should be used to protect electronic PHI.
3. HIPAA physical safeguards detail what protections are required for electronic systems, data, or equipment with electronic PHI. Risk assessment, analysis, and management protocols for hardware, software, and data transmission are covered under HIPPA physical safeguards. It also includes measures to protect buildings, equipment, and IT systems from unauthorized intrusion and natural and environmental issues (e.g., earthquakes or failure of HVAC systems). - HIPAA Transaction Rule
The HIPAA Transaction Rule establishes a set of codes to standardize the electronic exchange of PHI. The objective of this code is to ensure the accuracy, safety, and security of electronic PHI. - HIPAA Identifiers Rule
The HIPAA Identifiers Rule requires that electronic PHI transactions include three unique identifiers for covered entities:
1. National Provider Identifier (NPI)—a 10-digit number used for covered healthcare providers
2. National Health Plan Identifier (NHI)—an identifier used to identify health plans and payers under the Center for Medicare & Medicaid Services (CMS)
3. Standard Unique Employer Identifier—an identifier for employer entities in HIPAA transactions that is comparable to the federal Employer Identification Number (EIN) - HIPAA Enforcement Rule
The HIPAA Enforcement Rule covers five key areas related to HIPAA violations:- Application of HIPAA security and privacy requirements
- Mandatory federal privacy and security breach reporting requirements
- Privacy requirements, accounting disclosure requirements, and restrictions on sales and marketing
- Criminal and civil penalties, as well as methods for addressing HIPAA violations
- Stipulation that all new security requirements must be included in all Business Associate contracts
- HIPAA Breach Reporting Rule
The HIPAA Breach Notification Rule requires notification of data breaches, if PHI has been compromised. In this case, patients and the U.S. Department of Health and Human Services (HHS) must be notified. Failure to do so will result in a HIPAA violation.
These far-reaching HIPAA rules apply to nearly anyone who works with PHI. This means most people who work with or around PHI could be responsible for HIPAA violations. These include:
- Business associates of covered entities, such as volunteers, interns, contractors, and trainees
- Employees
- Health care clearinghouses
- Health plans
- Healthcare providers
- Hospital staff
- Insurance providers, agents, and brokers
- Lab employees
- Medicare prescription drug card sponsors
- Pharmacy employees
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA rules and responding to HIPAA violations. This includes:
- Investigating HIPAA violation complaints
- Conducting reviews to determine if covered entities are in compliance and identifying any violations
- Performing education and outreach to foster compliance with the rules’ requirements and reduce violations
According to the OCR, the three most common HIPAA violations are:
1. Impermissible uses and disclosures of PHI
2. Insufficient safeguards to ensure the confidentiality, integrity, and availability of PHI
3. Lack of patient access to PHI
Additional HIPAA violations include:
- Failure to conduct a risk analysis
- Failure to document compliance efforts
- Failure to encrypt PHI
- Failure to enter into a HIPAA-compliant Business Associate Agreement before sharing PHI
- Failure to implement access controls to limit who can view PHI
- Failure to maintain and monitor PHI access logs
- Failure to manage risks to the confidentiality, integrity, and availability of PHI
- Failure to notify an individual (or the OCR) of a security incident involving PHI within sixty days of the discovery of a breach
- Failure to provide HIPAA compliance and security awareness training
- Failure to provide patients with an accounting of disclosures on request
- Failure to terminate access rights to PHI when no longer required
- Improper disposal of PHI
- Improper use of PHI for marketing purposes
- Sharing of PHI online or via social media without permission
- Theft of patient records
- Unauthorized release of PHI to individuals not authorized to receive the information
Examples of common HIPAA violations
Disclosing incorrect patient information
Any sharing of inaccurate information about a patient, even accidentally, is a HIPAA violation.
Discussions about patients’ PHI in a public setting
People create HIPAA violations when they discuss a patient’s health matters within earshot of someone not connected to the treatment.
Failing to perform an organization-wide risk analysis
To avoid HIPAA violations, organizations must analyze risks to gain insight into vulnerabilities. The HIPAA Security Rule details what should be covered in the risk analysis.
Neglecting to include security requirements in contracts
HIPAA violations can result from failing to include HIPAA security requirements in contracts with vendors and partners.
Improper disposal of PHI
Digital and physical PHI must be appropriately disposed of, or organizations can be at risk for HIPAA violations. Improper disposal of PHI can range from failing to shred papers before putting them in the trash to not permanently deleting records from digital devices.
Insufficient safeguards for digital devices that might be stolen
Any digital device can be stolen, but the smaller ones put organizations at enhanced risk, because they are so easy to take.
All devices, from computers and laptops to handheld devices and USB drives, should be protected with precautions taken to ensure that PHI is inaccessible.
HIPAA violations related to lost and stolen devices result when these devices lack encryption and robust access controls.
Lack of HIPAA compliance training
Compliance training is required, along with documentation about the training. Failing to provide compliance training or being unable to show acceptable documentation is a common cause of HIPAA violations.
Mishandling medical records
User error that results in the mishandling of medical records often leads to HIPAA violations. This can be as simple as leaving paper records sitting on a desk or leaving a monitor screen open to a view of PHI and leaving it unattended.
Poor preparation for cyber attacks
Cyber attacks are to be expected; HIPAA violations can occur when organizations fail to take the threats seriously. A lack of systems and processes leaves PHI at heightened risk of unauthorized access.
Sharing PHI without authorization
Failing to get written consent to share PHI is one of the more common HIPAA violations.
Transferring PHI without using encryption
Transmitting PHI via any unencrypted channel can create HIPAA violations.
How HIPAA violations are discovered
Many HIPAA violations are discovered through internal and third-party audits. Other HIPAA violations are reported by an employee or partner who becomes aware of an infraction. State and federal agencies also conduct spot checks and compliance investigations that uncover HIPAA violations.
An OCR audit pool investigates organizations based on random selection, pre-screening questionnaires, and pool selection, as well as in response to a complaint. State attorneys general also have the power to investigate HIPAA violations related to data breaches. These investigations are commonly instigated when complaints are filed about potential HIPAA violations and when reports of PHI being compromised in a data breach.
How to avoid HIPAA violations
Widely accepted best practices for avoiding HIPAA violations include:
- Check authorization records before disclosing PHI
- Destroy PHI when it is no longer needed
- Do not leave physical files or devices with PHI unattended
- Enforce the practice of only discussing PHI in private settings
- Include HIPAA security requirements in all contracts
- Keep track of where PHI is stored, who has access to it, and what systems are in place to protect it
- Protect systems that hold PHI with strict access controls
- Regularly perform a risk analysis
- Restrict the transmission of PHI to encrypted channels
- Train employees and document the training
Civil HIPAA violations and enforcement
The OCR usually prefers remediation mandates over punitive measures when responding to HIPAA violations. However, for more significant issues, penalties for HIPAA violations are civil disciplinary actions, except in the cases where they are deemed serious enough to be criminal.
The four tiers of HIPAA violations and related penalties for civil cases are as follows.
- Tier one civil HIPAA violations
The people or organizations are not aware that they have committed HIPAA violations and could not reasonably be expected to know about or prevent it. In addition, they are taking meaningful steps to ensure HIPAA compliance. Referred to as the Unknowing Penalty range, these violations can incur fines of $100 to $50,000 per violation, with an annual maximum of $25,000 for repeat violations. - Tier two civil HIPAA violations
The people or organizations knew about the HIPAA violations or should have known about the offenses, but could not have avoided them. Additionally, they are taking sufficient steps to remediate the violations. Referred to as the Reasonable Cause Penalty range, these violations result in fines ranging from $1,000 to $50,000 per violation, with an annual maximum of $100,000 for repeat violations. - Tier three civil HIPAA violations
The people or organizations show willful neglect of the HIPAA Rules. However, they have corrected the HIPAA violations and mitigated the impact within thirty days of discovery. Referred to as the Willful Neglect penalty range, these files can range from $10,000 to $50,000 per violation, with an annual maximum of $250,000 for repeat violations. - Tier four civil HIPAA violations
The people or organizations show willful neglect of the HIPAA Rules and have made no effort to correct the issues or mitigate the effects within thirty days of discovery. Referred to as the Willful Neglect with No Attempt to Correct Penalty range, these HIPAA violations start at $50,000 per violation, with an annual maximum of $1.5 million.
Criminal HIPAA violations and enforcement
A HIPAA violation can be criminal under the Social Security Act. HIPAA violations that would be considered felony offenses include the deliberate and wrongful disclosure of PHI for:
- Commercial advantage
- Malicious harm
- Monetary gain
- Personal gain
Most of these types of HIPAA violations are handled by the Department of Justice, which is authorized to impose fines and penalties based on the severity of the crime.
- Tier one criminal HIPAA violations
Someone who knowingly obtains or discloses PHI can face fines of up to $50,000 and up to one year in prison. - Tier two criminal HIPAA violations
HIPAA violations committed under false pretenses carry fines of up to $100,000 and up to five years in prison. - Tier three criminal HIPAA violations
If someone fraudulently obtains PHI with the intent to sell, transfer, or use it for commercial advantage, malicious harm, or personal gain, they can face fines of up to $250,000 and up to 10 years in prison.
Respect for HIPAA helps avoid violations
Without a doubt, staying clear of HIPAA violations takes a significant investment of time and other scarce resources. However, the consequences of HIPAA violations are serious. In addition to the penalties, organizations can face serious reputational damage. Avoiding HIPAA violations provides not only the peace of mind that accompanies compliance, but an overall improvement to security and privacy systems and processes.