Article

What is a HIPAA violation? Examples and enforcement

Compliance
Time to read: 12 minutes

Definition of HIPAA violations

HIPAA violations result when someone fails to comply with the rules defined in the 1996 Federal Health Insurance Portability and Accountability Act (HIPAA). The rules focus on protecting patients’ protected health information (PHI).

There are a wide range of HIPAA violations that can occur when PHI is mishandled. HIPAA violations can be as simple as an employee losing a mobile device with access to PHI to misconfigured IT systems. The main HIPPA rules are:

  1. HIPAA Privacy Rule
    The HIPAA Privacy Rule protects individuals’ PHI and medical records, restricting how they can be used and disclosed without gaining a patient’s authorization. It also grants patients the right to access a copy of, inspect, and request corrections to their medical records.

    To avoid HIPAA violations, patients must be given access to the following forms related to the HIPAA Privacy Rule:
  2. HIPAA Security Rule
    The HIPAA Security Rule regulates the protection of electronic PHI. It defines the standards, methods, and procedures for how electronic PHI can be accessed, stored, and transmitted. There are three safeguard levels of security.

    1. HIPAA administrative safeguards make up more than half of the HIPAA Security Rule. The administrative safeguards define how security measures should be selected, developed, implemented, and maintained to protect electronic PHI from threats and vulnerabilities. This includes access controls, incident response, and security awareness training.

    2. HIPAA technical safeguards deal with the encryption and authentication methods used to have control over data access. The HIPAA technical safeguards specify what should be implemented to protect electronic PHI from unauthorized access.

    This includes systems for user verification and automatic log-off to prevent unauthorized access when devices are left unattended. The HIPAA technical safeguard specifies that encryption should be used to protect electronic PHI.

    3. HIPAA physical safeguards detail what protections are required for electronic systems, data, or equipment with electronic PHI. Risk assessment, analysis, and management protocols for hardware, software, and data transmission are covered under HIPPA physical safeguards. It also includes measures to protect buildings, equipment, and IT systems from unauthorized intrusion and natural and environmental issues (e.g., earthquakes or failure of HVAC systems).
  3. HIPAA Transaction Rule
    The HIPAA Transaction Rule establishes a set of codes to standardize the electronic exchange of PHI. The objective of this code is to ensure the accuracy, safety, and security of electronic PHI.
  4. HIPAA Identifiers Rule
    The HIPAA Identifiers Rule requires that electronic PHI transactions include three unique identifiers for covered entities:

    1. National Provider Identifier (NPI)—a 10-digit number used for covered healthcare providers
    2. National Health Plan Identifier (NHI)—an identifier used to identify health plans and payers under the Center for Medicare & Medicaid Services (CMS)
    3. Standard Unique Employer Identifier—an identifier for employer entities in HIPAA transactions that is comparable to the federal Employer Identification Number (EIN)
  5. HIPAA Enforcement Rule
    The HIPAA Enforcement Rule covers five key areas related to HIPAA violations:
  6. HIPAA Breach Reporting Rule
    The HIPAA Breach Notification Rule requires notification of data breaches, if PHI has been compromised. In this case, patients and the U.S. Department of Health and Human Services (HHS) must be notified. Failure to do so will result in a HIPAA violation.
  7. Authorization for Use or Disclosure Form
  8. Notice of Privacy Practices (NPP) Form
  9. Privacy Complaint Form
  10. Request for Accounting Disclosures Form
  11. Request for Restriction of Patient Health Care Information
  12. Request of Access to Protected Health Information (PHI)
  13. Application of HIPAA security and privacy requirements
  14. Mandatory federal privacy and security breach reporting requirements
  15. Privacy requirements, accounting disclosure requirements, and restrictions on sales and marketing
  16. Criminal and civil penalties, as well as methods for addressing HIPAA violations
  17. Stipulation that all new security requirements must be included in all Business Associate contracts

These far-reaching HIPAA rules apply to nearly anyone who works with PHI. This means most people who work with or around PHI could be responsible for HIPAA violations. These include:

  1. Business associates of covered entities, such as volunteers, interns, contractors, and trainees
  2. Employees
  3. Health care clearinghouses
  4. Health plans
  5. Healthcare providers
  6. Hospital staff
  7. Insurance providers, agents, and brokers
  8. Lab employees
  9. Medicare prescription drug card sponsors
  10. Pharmacy employees

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA rules and responding to HIPAA violations. This includes:

  1. Investigating HIPAA violation complaints
  2. Conducting reviews to determine if covered entities are in compliance and identifying any violations
  3. Performing education and outreach to foster compliance with the rules’ requirements and reduce violations

According to the OCR, the three most common HIPAA violations are:
1. Impermissible uses and disclosures of PHI
2. Insufficient safeguards to ensure the confidentiality, integrity, and availability of PHI
3. Lack of patient access to PHI

Additional HIPAA violations include:

  1. Failure to conduct a risk analysis
  2. Failure to document compliance efforts
  3. Failure to encrypt PHI
  4. Failure to enter into a HIPAA-compliant Business Associate Agreement before sharing PHI
  5. Failure to implement access controls to limit who can view PHI
  6. Failure to maintain and monitor PHI access logs
  7. Failure to manage risks to the confidentiality, integrity, and availability of PHI
  8. Failure to notify an individual (or the OCR) of a security incident involving PHI within sixty days of the discovery of a breach
  9. Failure to provide HIPAA compliance and security awareness training
  10. Failure to provide patients with an accounting of disclosures on request
  11. Failure to terminate access rights to PHI when no longer required
  12. Improper disposal of PHI
  13. Improper use of PHI for marketing purposes
  14. Sharing of PHI online or via social media without permission
  15. Theft of patient records
  16. Unauthorized release of PHI to individuals not authorized to receive the information

Examples of common HIPAA violations

Disclosing incorrect patient information
Any sharing of inaccurate information about a patient, even accidentally, is a HIPAA violation.

Discussions about patients’ PHI in a public setting
People create HIPAA violations when they discuss a patient’s health matters within earshot of someone not connected to the treatment.

Failing to perform an organization-wide risk analysis
To avoid HIPAA violations, organizations must analyze risks to gain insight into vulnerabilities. The HIPAA Security Rule details what should be covered in the risk analysis.

Neglecting to include security requirements in contracts
HIPAA violations can result from failing to include HIPAA security requirements in contracts with vendors and partners.

Improper disposal of PHI
Digital and physical PHI must be appropriately disposed of, or organizations can be at risk for HIPAA violations. Improper disposal of PHI can range from failing to shred papers before putting them in the trash to not permanently deleting records from digital devices.

Insufficient safeguards for digital devices that might be stolen
Any digital device can be stolen, but the smaller ones put organizations at enhanced risk, because they are so easy to take.

All devices, from computers and laptops to handheld devices and USB drives, should be protected with precautions taken to ensure that PHI is inaccessible.

HIPAA violations related to lost and stolen devices result when these devices lack encryption and robust access controls.

Lack of HIPAA compliance training
Compliance training is required, along with documentation about the training. Failing to provide compliance training or being unable to show acceptable documentation is a common cause of HIPAA violations.

Mishandling medical records
User error that results in the mishandling of medical records often leads to HIPAA violations. This can be as simple as leaving paper records sitting on a desk or leaving a monitor screen open to a view of PHI and leaving it unattended.

Poor preparation for cyber attacks
Cyber attacks are to be expected; HIPAA violations can occur when organizations fail to take the threats seriously. A lack of systems and processes leaves PHI at heightened risk of unauthorized access.

Sharing PHI without authorization
Failing to get written consent to share PHI is one of the more common HIPAA violations.

Transferring PHI without using encryption
Transmitting PHI via any unencrypted channel can create HIPAA violations.

How HIPAA violations are discovered

Many HIPAA violations are discovered through internal and third-party audits. Other HIPAA violations are reported by an employee or partner who becomes aware of an infraction. State and federal agencies also conduct spot checks and compliance investigations that uncover HIPAA violations.

An OCR audit pool investigates organizations based on random selection, pre-screening questionnaires, and pool selection, as well as in response to a complaint. State attorneys general also have the power to investigate HIPAA violations related to data breaches. These investigations are commonly instigated when complaints are filed about potential HIPAA violations and when reports of PHI being compromised in a data breach.

How to avoid HIPAA violations

Widely accepted best practices for avoiding HIPAA violations include:

  1. Check authorization records before disclosing PHI
  2. Destroy PHI when it is no longer needed
  3. Do not leave physical files or devices with PHI unattended
  4. Enforce the practice of only discussing PHI in private settings
  5. Include HIPAA security requirements in all contracts
  6. Keep track of where PHI is stored, who has access to it, and what systems are in place to protect it
  7. Protect systems that hold PHI with strict access controls
  8. Regularly perform a risk analysis
  9. Restrict the transmission of PHI to encrypted channels
  10. Train employees and document the training

Civil HIPAA violations and enforcement

The OCR usually prefers remediation mandates over punitive measures when responding to HIPAA violations. However, for more significant issues, penalties for HIPAA violations are civil disciplinary actions, except in the cases where they are deemed serious enough to be criminal.

The four tiers of HIPAA violations and related penalties for civil cases are as follows.

  1. Tier one civil HIPAA violations
    The people or organizations are not aware that they have committed HIPAA violations and could not reasonably be expected to know about or prevent it. In addition, they are taking meaningful steps to ensure HIPAA compliance. Referred to as the Unknowing Penalty range, these violations can incur fines of $100 to $50,000 per violation, with an annual maximum of $25,000 for repeat violations.
  2. Tier two civil HIPAA violations
    The people or organizations knew about the HIPAA violations or should have known about the offenses, but could not have avoided them. Additionally, they are taking sufficient steps to remediate the violations. Referred to as the Reasonable Cause Penalty range, these violations result in fines ranging from $1,000 to $50,000 per violation, with an annual maximum of $100,000 for repeat violations.
  3. Tier three civil HIPAA violations
    The people or organizations show willful neglect of the HIPAA Rules. However, they have corrected the HIPAA violations and mitigated the impact within thirty days of discovery. Referred to as the Willful Neglect penalty range, these files can range from $10,000 to $50,000 per violation, with an annual maximum of $250,000 for repeat violations.
  4. Tier four civil HIPAA violations
    The people or organizations show willful neglect of the HIPAA Rules and have made no effort to correct the issues or mitigate the effects within thirty days of discovery. Referred to as the Willful Neglect with No Attempt to Correct Penalty range, these HIPAA violations start at $50,000 per violation, with an annual maximum of $1.5 million.

Criminal HIPAA violations and enforcement

A HIPAA violation can be criminal under the Social Security Act. HIPAA violations that would be considered felony offenses include the deliberate and wrongful disclosure of PHI for:

  1. Commercial advantage
  2. Malicious harm
  3. Monetary gain
  4. Personal gain

Most of these types of HIPAA violations are handled by the Department of Justice, which is authorized to impose fines and penalties based on the severity of the crime.

  1. Tier one criminal HIPAA violations
    Someone who knowingly obtains or discloses PHI can face fines of up to $50,000 and up to one year in prison.
  2. Tier two criminal HIPAA violations
    HIPAA violations committed under false pretenses carry fines of up to $100,000 and up to five years in prison.
  3. Tier three criminal HIPAA violations
    If someone fraudulently obtains PHI with the intent to sell, transfer, or use it for commercial advantage, malicious harm, or personal gain, they can face fines of up to $250,000 and up to 10 years in prison.

Respect for HIPAA helps avoid violations

Without a doubt, staying clear of HIPAA violations takes a significant investment of time and other scarce resources. However, the consequences of HIPAA violations are serious. In addition to the penalties, organizations can face serious reputational damage. Avoiding HIPAA violations provides not only the peace of mind that accompanies compliance, but an overall improvement to security and privacy systems and processes.

Smart, scalable, seamless identity security

Trusted by 48% of the Fortune 500

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief