Few phrases fill healthcare professionals with more anxiety than “HIPAA violation.” From public disgrace to seven-figure fines, the last few years have shown just how serious non-compliance can be for organizations and individuals – and given us plenty of examples of what a HIPAA violation looks like.
But what are the most common forms of non-compliance? And how can you ensure your organization doesn’t fall foul of them?
This article provides a complete overview of HIPAA violations, explaining the mistakes that lead to non-compliance – and how you can avoid them.
Expect to learn:
- How misuse of medical records put one healthcare professional in jail for four months
- How many violations the OCR has investigated since 2003
- How employee training impacts compliance and the likelihood of a breach
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a set of national security regulations designed to guarantee the safety and privacy of all protected health information (PHI) and electronic PHI (ePHI). The regulation applies to all covered entities and business associates and is made up of three separate rules, each with its own extensive requirements.
Why is Compliance Important?
HIPAA is intended to protect patients, and compliance is primarily important because it keeps sensitive information safe. Compromised PHI can be used to target individuals with predatory marketing, steal patients’ identities to make fake medical claims, and a range of other malicious activities – all of which must be avoided at any cost.
However, there are a range of other factors that covered entities and business associates should be aware of, such as:
- HIPAA Fines: Violations can lead to steep fines from the Office of Civil Rights (OCR). This article explains how such fines are determined, but the takeaway is simple: a single HIPAA violation can cost your organization upwards of $60,000.
- Related Costs: From patient lawsuits and attendant legal costs to extensive remediation requirements, HIPAA non-compliance can lead to a range of extra costs for organizations.
- Reputational Damage: The Department of Health and Human Services (HHS) published a “wall of shame” to help the public keep track of organizations that do not comply with HIPAA. This can have a significant impact on your patient enrollment and recruitment efforts.
- Legal Penalties: The worst cases of HIPAA non-compliance can lead to significant jail time, with a maximum 10-year sentence for the most egregious offenses.
HIPAA Violation Examples
Since 2003, the OCR has investigated over 350,000 HIPAA violations. While HIPAA requirements are notoriously complex and non-compliance can occur in numerous ways, the majority of violations occur in one of the following ways:
Unauthorized Access or Disclosure of Patient Files
The HIPAA Privacy and Security Rules declare that only individuals with official authorization can access PHI or ePHI. As a result, any unauthorized access or disclosure constitutes a serious violation of HIPAA and can lead to severe penalties for both the individual and the organization.
This can often occur by accident, such as:
- An authorized individual accesses information beyond their authorization. For example, a physician might try to access historical data they are not privy to.
- An authorized individual speaks about PHI to an unauthorized individual. For example, a doctor may not realize their colleague is not legally allowed to know about a patient’s medical history – and asks them a question related to it.
- An organization accidentally sends PHI to the wrong email address.
Employee Snooping
Unauthorized access can often be the result of “snooping,”
where an individual intentionally accesses the medical records of a friend, family member, co-worker or celebrity without authorization. These cases are very common, with celebrities like George Clooney and Britney Spears representing some of the most high-profile examples. But, they are also extremely costly for both the perpetrators and the healthcare organization in which the breach occurs.
When employees at UCLA accessed Michael Jackson’s medical records in 2010, the organization was not only forced to fire them – it paid $95,000 in HIPAA fines. Equally, a hospital worker who pled guilty to accessing celebrity health information without authorization was sentenced to four months in federal prison. Such penalties don’t just apply to high-profile cases; one recent incident saw a group of security guards using their hospital logins to access patient information, leading to a $240,000 penalty for the hospital.
Snooping is particularly dangerous because it is often wrongly considered a “victimless crime.” In a candid account of the snooping incident, which led them to lose their job, one former medical professional says snooping “felt like clicking on Facebook to check the status of my friend.”
Failure to Perform a Risk Analysis
Covered entities must undertake regular security risk analysis (SRA) and privacy breach risk analysis (PBRA) to remain compliant – and failure to do so will constitute a serious violation. The HIPAA Security Rule stipulates two related requirements:
- Risk Analysis: Covered entities must undertake “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.”
- Risk Management: Covered entities must “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).”
While a lack of routine risk analysis may not be investigated, it will constitute a violation in the event of a data breach. A recent example saw CardioNet fined $2.5 million for “not having insufficient risk analysis and risk management processes in place” when an employee’s laptop containing ePHI was stolen.
The takeaway is clear: your annual SRA is essential not only to protect patients’ PHI but also to maintain compliance and protect your organization from the most severe penalties in the case of a data breach.
Improper Disposal of PHI
The HIPAA Privacy and Security rule lays out clear guidance on the safe disposal of PHI and ePHI:
- Paper Medical Records: These must be shredded, burned, pulped, or pulverized such that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
- Prescription bottles: These must be placed in opaque bags in a secure area before being transferred to a disposal vendor to pick up and shred or otherwise destroy the PHI.
- Digital Data: ePHI can be disposed of through a few methods:
- Clearing: Using software or hardware products to overwrite media with non-sensitive data
- Purging: Degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains
- Destruction: Disintegration, pulverization, melting, incinerating, or shredding of the physical media
Failure to adhere to these requirements constitutes a HIPAA violation and can result in serious penalties. In one recent case, a dermatology practice disposed of specimen containers in a regular dumpster, leading to a fine of over $300,000.
Improper Disposal of Electronic Devices Containing PHI
When medical facilities upgrade their electronic systems, they must ensure that all PHI is securely erased from old devices before disposal. Hard drives, fax machines, and copier memory can store patient information and pose a risk if not properly wiped.
For example, a healthcare provider may sell an old copier without realizing that its internal hard drive contains thousands of scanned patient records. The new owner could then access the stored data, leading to a major data breach. In this case, the healthcare provider may be fined for failure to properly dispose of PHI.
Sharing Patient Information Through Insecure Methods
HIPAA has a range of requirements that limit how PHI and ePHI can be shared. For example, the HIPAA Security Rule’s technical safeguards include “transmission controls,” which require all ePHI to be safe and secure during any digital data transfer.
As a result, any message containing PHI must be:
- Encrypted: Emails or text messages containing ePHI must be encrypted to prevent unauthorized access.
- Sent via a Secured Medium: The communication network used must be secured, either through encryption or other appropriate safeguards.
- Accurately Addressed: Sending PHI or ePHI to the wrong person leads to an instant HIPAA violation.
This points us to the Minimum Necessary Rule: HIPAA requires covered entities to make reasonable efforts to limit the frequency and volume of PHI disclosures. In practice, this means your employees should not be regularly texting or sending emails that contain ePHI; they should only do so if it is absolutely necessary, such as the patient cannot communicate through other means.
Lost or Stolen Devices Containing PHI
Widespread use of mobile devices in healthcare settings has created concerns around safeguarding patient data. Laptops, smartphones, tablets, and USB drives containing unencrypted PHI are common targets for theft or can be easily misplaced. But if the device is lost or stolen and PHI is not encrypted, it can be accessed by unauthorized individuals – leading to a significant HIPAA violation.
Imagine a hospital administrator who frequently works remotely and stores patient records on their work-issued laptop. One evening, they leave the laptop in their car while running errands, and the vehicle is broken into. Since the laptop is not encrypted or protected with strong authentication measures, patient information is now at risk. The healthcare organization may face penalties for failing to secure PHI on mobile devices.
Failure to Maintain Business Associate Agreements (BAAs)
HIPAA requires covered entities (such as hospitals, clinics, and insurers) to enter into Business Associate Agreements (BAAs) with third-party vendors that process PHI on their behalf. These agreements outline the vendor’s responsibility to protect PHI and comply with HIPAA regulations. Failure to establish a BAA can leave patient data unprotected and make both parties liable for compliance breaches.
For example, a dental clinic may hire a third-party IT firm to manage its patient database and billing software but does not sign a BAA with them. When the IT firm experiences a data breach, exposing PHI, the clinic is held responsible for failing to secure a compliance agreement with the vendor.
Discussing Patient Information in Public Areas
Healthcare professionals often discuss patient care throughout the day, but these conversations must be conducted in secure, private settings – and between authorized individuals. Discussing PHI in public areas—such as hospital cafeterias, elevators, or waiting rooms—risks unauthorized disclosure and violates HIPAA’s privacy regulations.
Nurses may need to discuss a patient’s upcoming surgery, but doing so while riding in a crowded elevator can lead to a violation. Unbeknownst to them, a visitor in the elevator may be a relative of the patient, who later files a complaint about their private health information being disclosed in an unsecured environment. The hospital would then be forced to address the violation and reinforce staff training.
Inadequate Access Controls for Electronic Health Records (EHRs)
Healthcare organizations must implement strict access controls to ensure that only authorized personnel can view or modify electronic health records (EHRs). Failure to restrict access based on job role increases the risk of unauthorized access to PHI.
For example, a lack of proper access restrictions may allow the receptionist to view detailed medical histories of all patients – even though their job only requires them to verify appointment details. If an audit reveals that multiple non-clinical employees accessed patient records without a legitimate need, the hospital could face penalties for non-compliance.
Delayed Breach Notification
The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, the U.S. Department of Health and Human Services (HHS), and in some cases, the media within 60 days of discovering a breach that affects 500 or more individuals. Failure to comply with this rule can result in severe penalties.
Sharing PHI on Social Media Without Consent
HIPAA strictly prohibits sharing patient information on social media without explicit written consent, even if a patient’s name is not mentioned. Posting photos, videos, or descriptions that could identify a patient constitutes a violation.
A common example: a nurse shares a photo on Instagram of a hospital’s trauma unit, unaware that a patient’s name is visible on a whiteboard in the background. The image is later flagged by hospital administrators, and the employee faces disciplinary action for breaching HIPAA regulations. The hospital may also be held responsible for inadequate social media training.
How to Avoid HIPAA Violations: Proven Methods
While HIPAA violations are a serious threat, there are a few steps you can take to reinforce your organization and ensure you are compliant:
1. Focus on Employee Training
Employee errors are among the most prevalent causes of HIPAA violations. From mishandling PHI to opening phishing emails, each of the violations discussed above is made far more likely by the widespread lack of proper cybersecurity training for healthcare professionals. In fact, a recent survey found that nearly a quarter of all staff had never had any security awareness training.
As a result, most organizations can dramatically improve their security posture and reduce the likelihood of a data breach by investing in more training. One study found that basic IT training led to a 4.2x increase in proper reporting when staff received malicious emails; it also led to many actively offering solutions to increase compliance.
2. Increase Risk Visibility
Many healthcare organizations struggle to maintain HIPAA compliance because they lack an accurate view of their security posture, and cybersecurity gaps or risks may go under the radar. This tends to manifest differently, depending on your organization’s size:
Small and Medium-Sized Organizations
With limited resources and a lack of in-house expertise, many smaller entities struggle to regularly assess their security and privacy measures. There are several methods to resolve this issue:
- Assign Responsibility: The problem often comes down to a lack of clear roles. You need an individual or small team who will be accountable for undertaking your annual HIPAA SRA and PBRA. You can access a complete guide on how to do that here.
- Automated Guidance: Navigating your HIPAA requirements and completing a comprehensive assessment is stressful and confusing. However, with the right software, you can receive automated guidance to understand each step of the process and identify your HIPAA risks in 80% less time.
Enterprise Organizations
While larger healthcare organizations tend to have more resources at their disposal, they also tend to struggle with a patchwork of cybersecurity processes and systems that create a lot of friction. As a result, assessment data is fragmented and stored in multiple separate systems – meaning HIPAA risks are far harder to pin down or prioritize.
The solution is an approach known as integrated risk management (IRM): Leverage a single, centralized hub for all cybersecurity and risk management data to gain full visibility of all sub-entities simultaneously. This makes it far easier to address the most flagrant instances of HIPAA non-compliance, as well as accelerate your annual SRA and PBRA.
Take Control of Your HIPAA Compliance
Worried about HIPAA violations but not sure how to deal with such complex requirements?
Intraprise Health is a trusted partner to over 16,000 healthcare providers. With innovative software and expert-guided services, we will help you streamline, accelerate, and enhance your HIPAA program.
