Common HIPAA Violation Examples: Avoiding Compliance Mistakes
Posted on: September 4th, 2024 03:33 pm
Few phrases fill healthcare professionals with more anxiety than “HIPAA violation.” From public disgrace to seven-figure fines, the last few years have shown just how serious non-compliance can be for organizations and individuals.
But what are the most common HIPAA violations? And how can you ensure your organization doesn’t fall foul of them?
This article provides a complete overview of HIPAA violations, explaining the mistakes that lead to non-compliance – and how you can avoid them.
Expect to learn:
- How misuse of medical records put one healthcare professional in jail for four months
- How many violations the OCR has investigated since 2003
- How employee training impacts compliance and the likelihood of a breach
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a set of national security regulations designed to guarantee the safety and privacy of all protected health information (PHI) and electronic PHI (ePHI). The regulation applies to all covered entities and business associates and is made up of three separate rules, each with its own extensive requirements.
Why is Compliance Important?
HIPAA is intended to protect patients, and compliance is primarily important because it keeps sensitive information safe. Compromised PHI can be used to target individuals with predatory marketing, steal patients’ identities to make fake medical claims, and a range of other malicious activities – all of which must be avoided at any cost.
However, there are a range of other factors that covered entities and business associates should be aware of, such as:
- HIPAA Fines: Violations can lead to steep fines from the Office of Civil Rights (OCR). This article explains how such fines are determined, but the takeaway is simple: a single HIPAA violation can cost your organization upwards of $60,000.
- Related Costs: From patient lawsuits and attendant legal costs to extensive remediation requirements, HIPAA non-compliance can lead to a range of extra costs for organizations.
- Reputational Damage: The Department of Health and Human Services (HHS) published a “wall of shame” to help the public keep track of organizations that do not comply with HIPAA. This can have a significant impact on your patient enrollment and recruitment efforts.
- Legal Penalties: The worst cases of HIPAA non-compliance can lead to significant jail time, with a maximum 10-year sentence for the most egregious offenses.
HIPAA Violation Examples
Since 2003, the OCR has investigated over 350,000 HIPAA violations. While HIPAA requirements are notoriously complex and non-compliance can occur in numerous ways, the majority of violations occur in one of the following ways:
Unauthorized Access or Disclosure of Patient Files
The HIPAA Privacy and Security Rules declare that only individuals with official authorization can access PHI or ePHI. As a result, any unauthorized access or disclosure constitutes a serious violation of HIPAA and can lead to severe penalties for both the individual and the organization.
This can often occur by accident, such as:
- An authorized individual accesses information beyond their authorization. For example, a physician might try to access historical data they are not privy to.
- An authorized individual speaks about PHI to an unauthorized individual. For example, a doctor may not realize their colleague is not legally allowed to know about a patient’s medical history – and asks them a question related to it.
- An organization accidentally sends PHI to the wrong email address.
However, it can also be the result of “snooping,” where an individual intentionally accesses the medical records of a friend, family member, co-worker or celebrity without authorization. These cases are very common, with celebrities like George Clooney and Britney Spears representing some of the most high-profile examples. But, they are also extremely costly for both the perpetrators and the healthcare organization in which the breach occurs.
When employees at UCLA accessed Michael Jackson’s medical records in 2010, the organization was not only forced to fire them – it paid $95,000 in HIPAA fines. Equally, a hospital worker who pled guilty to accessing celebrity health information without authorization was sentenced to four months in federal prison. Such penalties don’t just apply to high-profile cases; one recent incident saw a group of security guards using their hospital logins to access patient information, leading to a $240,000 penalty for the hospital.
Snooping is particularly dangerous because it is often wrongly considered a “victimless crime.” In a candid account of the snooping incident, which led them to lose their job, one former medical professional says snooping “felt like clicking on Facebook to check the status of my friend.”
Failure to Perform a Risk Analysis
Covered entities must undertake regular security risk analysis (SRA) and privacy breach risk analysis (PBRA) to remain compliant – and failure to do so will constitute a serious violation. The HIPAA Security Rule stipulates two related requirements:
- Risk Analysis: Covered entities must undertake “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.”
- Risk Management: Covered entities must “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).”
While a lack of routine risk analysis may not be investigated, it will constitute a violation in the event of a data breach. A recent example saw CardioNet fined $2.5 million for “not having insufficient risk analysis and risk management processes in place” when an employee’s laptop containing ePHI was stolen.
The takeaway is clear: your annual SRA is essential not only to protect patients’ PHI but also to maintain compliance and protect your organization from the most severe penalties in the case of a data breach.
Improper Disposal of PHI
The HIPAA Privacy and Security rule lays out clear guidance on the safe disposal of PHI and ePHI:
- Paper Medical Records: These must be shredded, burned, pulped, or pulverized such that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
- Prescription bottles: These must be placed in opaque bags in a secure area before being transferred to a disposal vendor to pick up and shred or otherwise destroy the PHI.
- Digital Data: ePHI can be disposed of through a few methods:
- Clearing: Using software or hardware products to overwrite media with non-sensitive data
- Purging: Degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains
- Destruction: Disintegration, pulverization, melting, incinerating, or shredding of the physical media
Failure to adhere to these requirements constitutes a HIPAA violation and can result in serious penalties. In one recent case, a dermatology practice disposed of specimen containers in a regular dumpster, leading to a fine of over $300,000.
Sharing Patient Information Through Insecure Methods
HIPAA has a range of requirements that limit how PHI and ePHI can be shared. For example, the HIPAA Security Rule’s technical safeguards include “transmission controls,” which require all ePHI to be safe and secure during any digital data transfer.
As a result, any message containing PHI must be:
- Encrypted: Emails or text messages containing ePHI must be encrypted to prevent unauthorized access.
- Sent via a Secured Medium: The communication network used must be secured, either through encryption or other appropriate safeguards.
- Accurately Addressed: Sending PHI or ePHI to the wrong person leads to an instant HIPAA violation.
This points us to the Minimum Necessary Rule: HIPAA requires covered entities to make reasonable efforts to limit the frequency and volume of PHI disclosures. In practice, this means your employees should not be regularly texting or sending emails that contain ePHI; they should only do so if it is absolutely necessary, such as the patient cannot communicate through other means.
How to Avoid HIPAA Violations: Proven Methods
While HIPAA violations are a serious threat, there are a few steps you can take to reinforce your organization and ensure you are compliant:
1. Focus on Employee Training
Employee errors are among the most prevalent causes of HIPAA violations. From mishandling PHI to opening phishing emails, each of the violations discussed above is made far more likely by the widespread lack of proper cybersecurity training for healthcare professionals. In fact, a recent survey found that nearly a quarter of all staff had never had any security awareness training.
As a result, most organizations can dramatically improve their security posture and reduce the likelihood of a data breach by investing in more training. One study found that basic IT training led to a 4.2x increase in proper reporting when staff received malicious emails; it also led to many actively offering solutions to increase compliance.
2. Increase Risk Visibility
Many healthcare organizations struggle to maintain HIPAA compliance because they lack an accurate view of their security posture, and cybersecurity gaps or risks may go under the radar. This tends to manifest differently, depending on your organization’s size:
Small and Medium-Sized Organizations
With limited resources and a lack of in-house expertise, many smaller entities struggle to regularly assess their security and privacy measures. There are several methods to resolve this issue:
- Assign Responsibility: The problem often comes down to a lack of clear roles. You need an individual or small team who will be accountable for undertaking your annual HIPAA SRA and PBRA. You can access a complete guide on how to do that here.
- Automated Guidance: Navigating your HIPAA requirements and completing a comprehensive assessment is stressful and confusing. However, with the right software, you can receive automated guidance to understand each step of the process and identify your HIPAA risks in 80% less time.
Enterprise Organizations
While larger healthcare organizations tend to have more resources at their disposal, they also tend to struggle with a patchwork of cybersecurity processes and systems that create a lot of friction. As a result, assessment data is fragmented and stored in multiple separate systems – meaning HIPAA risks are far harder to pin down or prioritize.
The solution is an approach known as integrated risk management (IRM): Leverage a single, centralized hub for all cybersecurity and risk management data to gain full visibility of all sub-entities simultaneously. This makes it far easier to address the most flagrant instances of HIPAA non-compliance, as well as accelerate your annual SRA and PBRA.
Take Control of Your HIPAA Compliance
Worried about HIPAA violations but not sure how to deal with such complex requirements?
Intraprise Health is a trusted partner to over 16,000 healthcare providers. With innovative software and expert-guided services, we will help you streamline, accelerate, and enhance your HIPAA program.
Book a free consultation today
Scott Mattila, CSO, Intraprise Health
