2023 set a record for health data breaches. There were 737 incidents reported to HHS, affecting nearly 144.6 million people. Most common Health Insurance Portability and Accountability Act (HIPAA) violations happen while sharing or accessing patient data.
Both intentional and unintentional HIPAA violations can damage your reputation and patient trust. They may also cost your organization thousands of dollars in fines. In this article, we’ll explore HIPAA violation examples in the healthcare industry. Let’s discover best practices for covered entities or their business associated to meet HIPAA compliance.
What is a HIPAA violation?
A HIPAA violation occurs when there is an unauthorized use or disclosure of Protected Health Information (PHI). As HIPAA provides data privacy and security provisions for safeguarding medical information, businesses can be held accountable if they breach the act.
Types of HIPAA violations
Any organization that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. Yet, if they fail, this may constitute a HIPAA violation. They can be classified into two categories: as either intentional or unintentional, based on the nature and the underlying cause of the violation:
Unintentional violations
Unintentional HIPAA violations are those that occur without malice or intent to misuse PHI. These violations often result from mistakes, negligence, or a lack of awareness regarding HIPAA regulations.
- Accidental disclosure. These occur when PHI is accidentally disclosed without malice, such as sending information to the wrong recipient or discussing patient information in a public area.
- Lack of awareness. Unintentional violations can also occur due to ignorance or a lack of understanding of HIPAA regulations. Employees might not be fully trained or aware of all the HIPAA requirements.
Common examples include misdirected emails containing PHI, discussing patient information in public areas, or accidentally leaving patient records exposed to unauthorized individuals.
The penalties for unintentional violations tend to be less severe than for intentional violations, but they still can be substantial depending on the extent and impact of the violation.
Intentional violations
Intentional HIPAA violations involve willful neglect or deliberate acts of accessing, using, or disclosing PHI without authorization.
- Purposeful acts. Occur when someone knowingly and willingly violates HIPAA regulations. This might include accessing, using, disclosing, or selling protected health information without proper authorization.
- Malicious intent. Often have malicious intent, such as theft of PHI for financial gain, personal reasons, or to harm the patient or entity.
Intentional violations carry severe penalties, including higher fines and potential criminal charges.
Examples of common HIPAA violations
A HIPAA violation encompasses a range of infractions, from intentional to accidental ones. For this reason, it’s crucial for employees and employers to be informed about specific examples of HIPAA violations to avoid costly penalties.
Unauthorized disclosure of PHI
Unauthorized disclosure happens when PHI is shared without the patient's consent or without a valid reason, as per HIPAA rules. It could be an act of an employee talking about a patient’s condition to a friend or a family member or administrative staff unintentionally sending PHI to the wrong recipient via email or post.
A dental practice in North Carolina, run by Dr. U. Phillip Igbinadolor and associates, was fined $50,000 for mishandling a patient's private health information online. The US Department of Health and Human Services Office for Civil Rights launched an investigation after a patient complained.
In 2015, the practice had responded to a negative Google review by revealing the patient's name, symptoms, and treatment details. When they didn't adequately address the requests for documentation from the Office for Civil Rights and didn't challenge the findings, it was determined that their actions showed "willful neglect not corrected."
Insufficient data security measures
Lack of adequate data security measures can lead to HIPAA violations. Insufficient safeguards may include weak passwords, unencrypted data, or unprotected networks that can be easily accessed by hackers or unauthorized personnel. Not having proper security policies in place is also regarded as insufficient data security measures.
Anthem, Inc. agreed to pay $16 million to the U.S. Department of Health and Human Services to settle the largest health data breach in U.S. history, impacting almost 79 million people. This breach, caused by a series of cyberattacks such as advanced persistent threats and spear phishing, exposed sensitive electronic protected health information (ePHI). This settlement, the biggest ever under HIPAA, follows Anthem's shortcomings in establishing robust cybersecurity measures, performing risk analyses, and controlling access.
Failure to notify affected parties
In the event of a breach, HIPAA mandates timely notification to the affected individuals and the Department of Health and Human Services (HHS). Delay or failure to provide such notification is a violation of the regulations.
Oklahoma State University's Center for Health Sciences (OSU-CHS) had to pay $875,000 and follow a corrective action plan after a cyberattack exposed the private health information of 279,865 people. This breach, reported in January 2018, happened when someone illegally accessed a web server in 2016. The investigation found several possible breaches of HIPAA, the law protecting health information. These include failure to report a data breach in a timely manner.
Absence of necessary agreements
HIPAA requires covered entities to have agreements with their business associates, ensuring the protection of PHI. Inadequate management of these agreements, such as failing to execute or renew them, may lead to violations.
North Memorial Health Care, a large non-profit healthcare system in Minnesota, was accused of not following two important health privacy rules. First, they didn't have a formal agreement with a key contractor to protect patient information. Second, they didn't do a thorough check-up to find and fix any risks to patient data. To resolve this, they had to pay $1,550,000 and follow a detailed plan to improve their practices.
Not providing essential HIPAA training
Employees who are not adequately trained on HIPAA policies and procedures can inadvertently cause violations. Regular training sessions should be conducted to ensure that all staff members are well-versed in maintaining the confidentiality and security of PHI.
Not securely disposing of PHI
Tossing old patient records into a regular trash bin or disposing of hardware containing PHI without wiping it first can expose sensitive information. Proper disposal methods, like shredding or secure electronic deletion, are essential.
The Office for Civil Rights, part of the U.S. Department of Health and Human Services, settled with CardioNet over a breach of HIPAA rules. CardioNet improperly exposed electronic health information that wasn't secure. To resolve this, they've agreed to pay $2.5 million and take steps to fix their privacy and security practices.
Failing to conduct regular risk assessments
Failing to conduct a comprehensive risk analysis and implement necessary risk management strategies leaves healthcare entities vulnerable to potential breaches. Continuous assessment and upgrading of security measures are imperative.
The Alaska Department of Health and Social Services (DHSS) has agreed to pay $1.7 million to the U.S. Department of Health and Human Services (HHS) for potential violations of the HIPAA Security Rule. This settlement follows a breach involving a stolen USB drive with personal health information of about 2,000 individuals. An investigation found that DHSS had insufficient policies for protecting this information, lacking in risk analysis and security measures.
HIPAA violations costs: facts and figures
Lack of HIPAA compliance can lead to data breaches, data leaks, or losses. Almost 95% of all identity theft incidents come from stolen medical records. Such health information is worth about 50 times more than credit card information.
HIPAA-related incidents have been growing in recent years. Experts predict that the healthcare sector will keep facing significant cyber threats. Around 75% of surveyed covered entities and their business associates revealed they are unprepared for cybersecurity threats. Not following HIPAA law puts their patient data and medical records at risk of exposure.
Hacking and ransomware attacks are the most common reasons for compromising medical records and patient data. Below are some numbers about healthcare data breaches in 2022.
How to discover HIPAA violations?
Some HIPAA violations go on for months or even years. The longer they are continued, the greater the penalty will follow. That’s why every covered entity must conduct regulatory HIPAA compliance reviews regularly. This way, it can find and correct HIPAA violations before regulators identify them.
Some HIPAA law violations are disclosed through self-reporting. Often, the responsible healthcare workers of covered entities or their business associates report HIPAA violations to the Office for Civil Rights (OCR). OCR then launches an investigation into a complaint and finds out whether the entity is in breach of HIPAA rules.
OCR also reveals HIPAA violations through internal audits of covered entities. These audits are completed based on a random selection or a reported complaint.
Best practices for avoiding HIPAA violations
Concerns regarding HIPAA violations vary between covered entities and individual healthcare workers due to the extensive scope of this law. Organizations should prioritize establishing robust systems and comprehensive training programs, while individual workers should take proactive measures to safeguard their professional paths.
Best practices for avoiding HIPAA violations for covered entities
For covered entities, to prevent HIPAA violations, it is essential to be well-prepared for audits by creating meticulous policies that align with the areas identified in your risk analysis. Some good practices would be:
- Conducting comprehensive risk analyses regularly.
- Documenting and maintaining records of employee training.
- Ensuring that contracts with business associates explicitly mandate HIPAA compliance, and maintaining a clear record of all related policies with these partners.
- Be cognizant of the locations where PHI is stored, understand the methods of access, and implement robust policies for its protection.
Best practices for avoiding HIPAA violations for individuals
Meanwhile, for employees, providers, and contractors, the OCR provides directives for professionals outlining their obligations under HIPAA. One of the key strategies to prevent violations is to train employees on common areas of non-compliance. Consider:
- Implementing a systematic protocol to verify authorization prerequisites before divulging medical information, assisting healthcare staff in evading HIPAA violations.
- Specifying permissible locations for discussing patient information.
- Instructing contractors on security best practices such as not sharing login details, avoiding leaving files or devices unguarded, and abstaining from discussing patient details on unsecured devices.
- Exercising restraint on social media. Highlight potential risks such as inadvertently compromising patient privacy by posting images or information, and consider disconnecting current patients from personal social media accounts.
- Appointing a dedicated officer for privacy and compliance to oversee inquiries, manage training initiatives, facilitate report generation, and conduct risk assessments. This is a beneficial practice, even for smaller organizations.
Reporting and responding to HIPAA violations
One of the major components of HIPAA is its Privacy Rule, which dictates how PHI should be used and disclosed. When these standards are not met, it's considered a HIPAA violation. Given the sensitivity of PHI, it's crucial to ensure that any potential violations are reported and responded to in an appropriate and timely manner. Here's a breakdown of the process.
1. Internal reporting
- Report to the entity involved. Start by reporting the violation internally within the organization where the breach occurred. This could be a hospital, clinic, insurance company, or any other covered entity.
- Contact the privacy officer. Each covered entity should have a designated privacy officer. Contact this officer to report the violation.
2. Filing a complaint with the Department of Health and Human Services (HHS)
- Online. You can file a complaint directly with the Office for Civil Rights (OCR) of HHS through their online portal.
- Mail or email. Complaints can also be sent via mail or email, following the instructions provided on the OCR website.
- Time frame. Make sure to file the complaint within 180 days of when you know that the act or omission complained of occurred.
3. State agencies
- State Attorney General. Some states may allow you to report HIPAA violations to the state attorney general’s office.
- State health department. Consider also reporting the violation to your state’s health department.
4. Details to include in the complaint
- Describe the violation. Provide a detailed description of what happened, including the date.
- Provide details about the covered entity. Include information such as the name and address of the covered entity involved.
- Personal information. Your contact information will be needed for follow-up, but anonymous complaints may also be considered.
5. Anonymity and retaliation protections
- Anonymity. If desired, ask whether you can file the complaint anonymously.
- Retaliation protections. Remember that under HIPAA, individuals are protected from retaliation for filing a complaint.
6. Follow-up
- OCR investigation. The OCR will investigate the complaint and determine whether there has been a violation.
- Outcome. Depending on the investigation’s outcome, corrective actions and penalties may be imposed on the violators.
Remember, the specifics may vary based on the nature of the violation, the type of covered entity, and state laws. Always refer to the most up-to-date resources and consult with legal experts if necessary for accurate guidance.
Frequently asked questions about HIPAA violations
Where can a HIPAA violation be reported?
A HIPAA violation can be reported to the Office for Civil Rights (OCR) under the Department of Health and Human Services (HHS). You can file a complaint online via the OCR complaint portal, by mail, or by email.
How to report HIPAA violations anonymously?
You can report HIPAA violations anonymously by calling the Department of Health and Human Services (HHS). You may also visit OCR’s website and file a complaint or mail it to them directly. Note that choosing to remain anonymous may limit the OCR's ability to investigate the complaint.
Who may sue for a HIPAA violation?
Individuals cannot directly sue for a HIPAA violation. Instead, complaints are made to the Office for Civil Rights (OCR), which is part of the U.S. Department of Health and Human Services (HHS), and they enforce HIPAA regulations and determine and administer penalties.
What information is not protected by HIPAA?
Information unrelated to an individual’s past, present, or future physical or mental health, provision of health care, or payment for health care is not protected by HIPAA. De-identified health information, where identifiers have been removed to prevent identification of individuals, is also not protected by HIPAA.
What information can be shared without violating HIPAA?
Information that can be shared without violating HIPAA includes de-identified health information, where eighteen specific identifiers have been removed, and no remaining information can be used to identify the individual. In certain cases, health information can also be shared for treatment purposes, payment activities, and healthcare operations with the necessary protections and minimum necessary use in place.
What is the difference between a HIPAA violation and incidental disclosure?
A HIPAA violation refers to the failure to comply with the standards set by the Health Insurance Portability and Accountability Act (HIPAA), resulting in unauthorized access, use, or disclosure of protected health information (PHI). Incidental disclosure, on the other hand, is an accidental sharing of PHI that occurs despite following HIPAA rules and regulations.
Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.