According to HIPAA Journal, nearly 20.2 million medical records were breached in the first half of 2022 alone. Most common HIPAA violations happen while sharing or accessing patient data or because suitable security measures aren’t in place.
Both intentional and unintentional HIPAA violations can damage your reputation and patient trust. And cost your organization thousands of dollars in fines.
Read on to explore HIPAA violation examples in the healthcare industry. And discover best practices for covered entities or their business associates to meet HIPAA compliance.
What is a HIPAA violation?
Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) establishes measures to safeguard individuals’ medical records and other healthcare information.
Failure to follow HIPAA laws is a violation. It happens when an organization doesn’t protect a customer’s Private Health Information (PHI). For example, a healthcare worker leaves patient records on their computer screen while they grab a coffee, a hospital releases patient data to a third party, or a doctor denies a patient access to their medical records.
The US Department of Health and Human Services (HHS)issued five rules that help healthcare organizations meet HIPAA regulations.
Who needs to follow the HIPAA rules? All HIPAA-covered entities and healthcare providers, such as:
Healthcare clearing houses.
Business associates who provide services to healthcare providers.
The HIPAA rules define how healthcare workers and covered entities should proceed when they handle medical records. Each of them focuses on a different aspect of the HIPAA act. For example, the Privacy Rule gives everybody rights over their patient data and Omnibus Rule establishes a patient’s right to control their data, while the Breach Notification Rule talks about the procedures for reporting a data breach.
HIPAA violations costs: facts and figures
Lack of HIPAA compliance can lead to data breaches, data leaks, or losses. Almost 95% of all identity theft incidents come from stolen medical records. Such health information is worth about 50 times more than credit card information.
HIPAA-related incidents have been growing in recent years. Experts predict that the healthcare sector will keep facing significant cyber threats. Around 75% of surveyed covered entities and their business associates revealed they are unprepared for cybersecurity threats. Not following HIPAA law puts their patient data and medical records at risk of exposure.
According to the HIPAA-violation trends report, hacking and ransomware attacks are the most common reasons for compromising medical records and patient data. Below are some numbers about healthcare data breaches in 2022.
Exposing HIPAA violations
Some HIPAA violations go on for months or even years. The longer they are continued, the greater the penalty will follow. That’s every covered entity must conduct regulatory HIPAA compliance reviews regularly. This way, it can find and correct HIPAA violations before regulators identify them.
Some HIPAA law violations are disclosed through self-reporting. It is often the responsible healthcare workers of covered entities or their business associates that report HIPAA violations to the Office for Civil Rights (OCR). OCR then launches an investigation into a complaint and finds out whether the entity is in breach of HIPAA rules.
OCR also reveals HIPAA violations through internal audits of covered entities. These audits are completed based on a random selection or a reported complaint.
HIPAA violation examples in close-up
The most common types of HIPAA violations presented below are committed by covered entities. With each type of breach, there is a real-life example.
A lack of risk analysis
Organization-wide risk analysis should regularly check for any vulnerabilities to the confidentiality and integrity of PHI. A failure to perform the analysis may result in cyberattacks and loss of data.
A few years ago, Premera Blue Cross, a Washington-based large heath plan company, discovered a breach of the ePHI of over 10 million individuals. The OCR investigation discovered that the health insurer didn’t conduct a regular risk analysis. As a result, the company paid a record-high fine of $6.85 million.
Unauthorized disclosure of Protected Health Information
Exposing Protected Health Information is not allowed by the HIPAA Privacy Rule. If a hospital discloses PHI to a patient’s employer or the public, they violate the law, like in the case of St. Luke’s-Roosevelt Hospital.
A member of the hospital staff sent a patient’s sensitive information, such as their sexual orientation, mental health diagnosis, and HIV status, to their employer. To resolve this HIPAA violation, the hospital had to pay OCR $387,200.
Failure to safeguard PHI on electronic devices
Using encryption is one of the best ways to prevent data breaches. Although encryption is not mandatory under HIPAA rules, it is worth taking into consideration applying other equivalent security measures. Breaches of encrypted PHI don’t have to be reported unless the key to decrypt the data is stolen.
A staff member of a Dallas-based Children’s Medical Center lost their Blackberry device with the ePHI of 3,800 patients. As the device was not encrypted and protected with a password, the patient data was exposed. The hospital had to pay a $3.2 million penalty.
Accessing PHI without necessary permission
Prying on the medical data of friends, family, neighbors, and celebrities is one of the most common HIPAA violations committed by employees. They violate a patient’s privacy and break the law.
One of the doctors at the University of California Los Angeles Health System accessed the medical records of celebrities without authorization 32 times. Soon after it was discovered, he was dismissed and sentenced to four months in federal prison.
Inappropriate disposal of Protected Health Information
HIPAA law states that if PHI or ePHi is no longer required, it must be securely and permanently destroyed. Paper records should be shredded or pulped, and ePHI securely wiped, or the electronic devices where it was stored, be destroyed.
A FileFax worker, a company that offers storage of medical records, took documents with PHI to a recycling facility and sold them. In total, the records of 2.150 patients were compromised and the company suffered a $100,00 penalty.
Delaying the 60-day deadline for a breach notification
According to the Breach Notification Rule, a breach must be reported within 60 days following the date of its discovery. Exceeding this time is one of the HIPAA violations.
Oklahoma State University Center for Health Sciences, a public research institution, had to pay an $875,000 settlement to HHS for delayed breach notifications. Due to a hacking attack, the ePHI of 297.865 individuals was lost.
Lack of a HIPAA-compliant business associate agreement
According to the HIPAA Rules, all agreements with business associates or vendors must include access to PHI. Failure to do so is a HIPAA violation.
North Memorial Health Care of Minnesota overlooked giving access to PHI to their business associate Accretive Health Inc. As a result, a database with the ePHI of 289,904 patients was compromised.
Best practices for avoiding HIPAA violations
How can you avoid HIPAA breaches? Here are a few things to bear in mind:
Use encryption and limit access to devices and data based on employee status..
Carry out regular risk analysis.
Make sure your business associates’ contracts meet HIPAA compliance.
Train your employees on HIPAA rules and how to access PHI.
Establish a protocol to check the authorization to access medical records and PHI.
Want to make sure your business is in the clear? Check out NordLayer’s HIPAA compliance checklist.
Frequently asked questions about HIPAA violations
The most popular questions mainly focus on the process when an organization has a breach or a patient or an employee wants to file a complaint. Some questions are about how OCR audits an entity. Here is our short guide on how to proceed with HIPAA violations.
Where can a HIPAA violation be reported?
Anyone can file a complaint about HIPAA violation with the US Department of Health and Human Services (HHS). You should do it within 180 days. Go to the online complaint portal and start there. You should notify HHS about a breach within 180 days. HHS makes exceptions for breaches that happened before, but you need to show a good reason.
How to report HIPAA violations anonymously?
Office for Civil Rights (OCR) starts an investigation only if there is a name and contact information in a complaint report. Yet, if you wish to remain anonymous, you can download a complaint form and email it to OCR. In this case, OCR won’t take any action taken against the entity in question.
You can also ask OCR to keep your information private. This can protect you from backlash, as your name won't be revealed to the entity that is being investigated.
Who may sue for a HIPAA violation?
Can you, as an individual, sue for HIPAA violations? Not really. Patients can’t sue covered entities for a HIPAA violation. However, they have options to recover damages if they suffered harm following a privacy breach. They can bring a case against a provider on a related issue when they suffer injuries. It is OCR or state attorneys general that bring lawsuits against violators. They protect future individuals from harm, but they don't provide relief for an affected individual.
What information is not protected by HIPAA?
HIPAA doesn't apply to “research health information” (RHI) kept only on the researcher’s records.
What information can be shared without violating HIPAA?
All information can be shared without violating HIPAA on condition it is shared in the following cases:
for a permissible use
the entity shares the information and has obtained written authorization from the subject of the information
What is the difference between a HIPAA violation and incidental disclosure?
Incidental disclosure is allowed when it is unavoidable and occurs during a compliant activity. But, as a result, the Privacy Rule is broken, it is a HIPAA violation. For example, an incidental HIPAA disclosure takes place when a business associate representative enters a treatment facility and sees a patient in the waiting room. They know the identity of the patient and have a compliant Business Associate Agreement (BAA) in place, and are visiting the facility to carry out the work described in the BAA.
How can NordLayer help?
Handling your Protected Health Information, such as medical and patient records, can be challenging. Unprotected data stays vulnerable to theft or leaks and may result in HIPAA violations. This can be damaging to your business reputation and bottom line. NordLayer can help you protect sensitive information and ensure safe access to your resources.
NordLayer’s solutions also make it easier to meet HIPAA regulations, without advanced steps or long deployments. This means you can control access to every data security endpoint, making sure that only authorized people can access sensitive resources. If you want to know more about how to achieve HIPAA compliance with NordLayer, contact us.