The Most Common HIPAA Violations: A Guide for Healthcare Leaders

5-most-common-hipaa-privacy-violations

American healthcare organizations spend up to $120,000 every year on HIPAA compliance. But many leaders worry they are not focusing that budget on the right factors – and therefore may end up with a costly HIPAA violation. 

What are the most common ways healthcare organizations violate these rules? What are the consequences for a breach? And how can your organization ensure you remain compliant? 

This article answers those questions and provides a clear guide for healthcare leaders that want to finally get rid of their “HIPAA headaches.” 

HIPAA Violations: An Executive Overview 

Before we dive into the details of HIPAA violations, we need to establish our basic terms: 

What is a HIPAA Violation? 

A HIPAA violation refers to any failure to comply with the HIPAA Privacy, Security, or Breach Notification Rules. This could occur in a few ways: 

  • Unauthorized Data Access: If a patient’s medical record or other protected health information (PHI) is accessed without official authorization – regardless of the intention – it will be in violation of the HIPAA Privacy Rule. 
  • Lack of Safeguards: If an organization is deemed to have improper or incomplete safeguards in place to ensure the HIPAA Privacy Rule is followed, the organization can be deemed in de-facto violation of the Rule.  
  • Failure to Follow Protocols: From notifying the Department of Health and Human Services (HHS) of a data breach to improper disposal of equipment containing PHI, any failure to follow official HIPAA protocols will be considered a violation.  

Important to note: These violations do not take into consideration the intention of the violator. While there are likely to be more severe penalties for intention, malicious violations, even accidental or potentially unavoidable failures to follow HIPAA Rules will lead to a violation. 

The Consequences: What Happens if You Violate HIPAA? 

A HIPAA violation can result in several different punishments: 

  • Fines: Healthcare organizations can be dealt hefty fines for violating the Privacy Rule, with an upper limit of $50,000 per violation for the most serious violations. 
  • Reputational Harm: The HHS has created a “wall of shame” to advertise organizations that fail to adhere to protect their patients’ data. 
  • Legal Action: Particularly egregious HIPAA violations can result in legal consequences for those responsible, with a theoretical maximum of ten years’ jail time. While the most common legal cases involve intentional data theft, the HITECH Act Criminal Penalties states that failure to report a breach of greater than 500 individuals to HHS could result in jail time. 

Notably, recent years have seen an increase in the number of violations that are reported and result in punishments – suggesting enforcement is on the rise, and violations are becoming even more risky. 

Who Handles HIPAA Violation Penalties? 

Responsibility for managing, adjudicating, and resolving HIPAA violations may be shared among a few different parties: 

  • Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS): This is the primary agency responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The OCR investigates complaints, conducts compliance reviews, and can impose civil penalties on covered entities and business associates for non-compliance. They also ensure corrective actions are taken to resolve the violations. 
  • State Attorneys General: State attorneys general have the authority to bring civil actions on behalf of state residents for HIPAA violations. They can impose penalties and seek damages for violations that affect individuals within their states. 
  • Department of Justice (DOJ): The DOJ handles criminal violations of HIPAA, which may include cases of intentional misuse or theft of protected health information (PHI). Criminal penalties, including fines and imprisonment, can be imposed for knowingly violating HIPAA rules. 
  • Covered Entities and Business Associates: Covered entities and business associates are also responsible for handling HIPAA violations internally. They are required to investigate and address breaches of PHI, notify affected individuals, and take corrective actions to prevent future violations. 

Four Different Types of HIPAA Violations 

HIPAA violations are split into four distinct “tiers” based on the context and cause of the problem:  

  • Tier 1: You were unaware of the violation, and standard due diligence would not have revealed that the HIPAA rules had been violated.   
  • Tier 2: You were unaware of the violation but could reasonably have been expected to discover the violation through due diligence.   
  • Tier 3: You are deemed to have willfully neglected the HIPAA Rules, but the problem was corrected, and the consequences were dealt with within 30 days of discovery.  
  • Tier 4: You not only neglected the HIPAA Rules but also made no effort to resolve or mitigate the consequences for at least 30 days. 
  • Higher tiers are eligible for larger fines and are more likely to result in legal action. This is important to consider when we look at specific examples of HIPAA violations. The same violation, such as a device being lost, could be classed as Tier 2, 3, or 4 – depending on the level of due diligence and the speed of your response to the issue. 

Compliant

The Five Most Common Causes of a HIPAA Breach 

1. Devices Containing PHI 

One of the biggest HIPAA compliance risks today is devices with stored patient health information, i.e. desktop computers, laptops, tablets and smartphones. Any time these devices fall into the wrong hands, a HIPAA violation will be incurred – regardless of whether the device is lost, stolen, or improperly discarded.  

This violation can be caused by work devices and your own personal devices if you use them to access this information. Mobile devices are the most vulnerable to theft and misplacement because of their smaller size and portability. 

Issues with devices have become increasingly common as healthcare organizations have increased the number of digital touchpoints they use. In fact, the last decade saw over 800 device loss or theft incidents reported. 

How to Prevent a HIPAA Violation 

Keep a watchful eye on your devices and lock them up when you’re not around. Secure your files on these devices with encryptions and use a cloud hosting solution for remote access. 95% of identity theft comes from stolen medical information, so exposing devices to cybercriminals can lead to a significant breach of patient trust and result in millions of dollars in fines.  

While encryption won’t reduce the cost of the device or time to rebuild or recover the user’s system, it can alleviate the need to notify HHS of a breach of greater than 500 individuals.

2, System Infiltration (Hacking)

Data from several healthcare network servers have been hacked over the last few years, and the numbers continue to rise. In 2021, 50 million individuals were affected by a healthcare data breach – 15% of the US population at the time. This issue has become even more prevalent with the advent of technologies like telemedicine, cloud storage, and digital communication.  

These servers have PHI for hundreds to millions of patients, so when these skilled hackers — who are only getting better at what they do — get their hands on them, they leak this information out or sell it to the highest bidder. Some of this information includes Social Security numbers, birth dates, addresses and insurance information. 

How to Prevent a HIPAA Violation 

Use a HIPAA compliance software tool to assist you in regular privacy and breach compliance checks. Automate reminders to rotate encryption keys and certificates, and build a robust incident response plan with your IT team if any protocols are breached. Take necessary security measures, like encryption and deep-packet inspection firewalls that can block phishing or other malware attacks, to safeguard PHI. 

47% of healthcare data breaches come from hackers, and it is the responsibility of covered entities and business associates to take necessary security measures, like encryption and deep-packet inspection firewalls that can block phishing or other malware attacks, to safeguard PHI. If hacking occurs, the Office of Civil Rights (OCR) will look for proof that entities implemented proper safeguards to protect from hacking, so organizations must utilize a tool that enables year-round compliance. 

3. Employee Breaches

In 2021, employees were responsible for 39% of healthcare breaches, compared to 18% in other industries. This can occur in two different ways: 

  • Accident Unauthorized Access 

The HIPAA Security Rule requires physical, technical, and administrative safeguards to ensure employees can only access PHI if they have authorization. But preventative measures such as limiting access to specific devices or requiring security clearances may not always be effective. An employee could accidentally use a device which contains information they are not authorized to access – and this would still constitute a HIPAA violation. 

  • Intentional Unauthorized Access 

Some employees will actively seek out PHI they are not authorized to view for personal motivations. Most commonly, this will involve snooping on celebrities or people they know. Staff may do this out of curiosity, spite or because a friend or relative asked them to. No matter their excuse, it’s unethical, but it still continues to happen.  

This problem is amplified when accounts are shared between physicians and their employees. Physician staff may use the Physician’s System user account, assuming they will not be held accountable for these activities.  

How to Prevent a HIPAA Violation 

The first step in preventing staff misconduct is to hire only after thorough background checks, but sometimes even the most thoroughly vetted employees can mishandle patient information. To avoid violations, implement policies and procedures with annual HIPAA Security training enforcing unique User IDs, passwords, passcodes, user ID codes and/or clearance levels to discourage employees from accessing patient files they’re not authorized to see.

4. Improper Filing and Disposing of Documents

In 2021, HealthReach Community Health Centers in Waterville, Maine, notified over 100,000 patients of a health data breach that resulted from improper disposal of medical records.  

When using a paper filing system, there will likely be some human error resulting in an employee incorrectly filing a patient’s record or accidentally getting rid of a document without first shredding it. Sometimes people just have a bad day or get distracted. Mistakes happen, but they happen more often with this system. 

How to Prevent a HIPAA Violation 

Establish Policies and Procedures to ensure any ePHI or personally identifiable information (PII) on paper is locked at night or stored in secured disposal bins prior to shredding. Switch over to an electronic filing system or ensure everyone double and triple checks they correctly file and dispose of documents.

5. Releasing Patient Information After the Authorization Period Expires

Patients deserve transparency and easy access to their records. New updates to the HIPAA privacy law require covered entities to respond to patient requests for records in 15 days instead of the previous 30-day window. Failure to adhere to this timeline is a direct violation of HIPAA regulations. Your entire organization must comply with this rule to avoid penalties.  

But what if you don’t fulfill a request on time? There are expiration dates on HIPAA authorization forms. 22% of healthcare cybersecurity incidents are caused by insider error, and this is one common example: Too many times, someone hasn’t paid close enough attention to the expiration date when a request for a release of information comes through and ended up sending out that information even though they shouldn’t have 

If a request is past the expiration date, you must complete a new HIPAA authorization form.  

How to Prevent a HIPAA Violation 

Set automated reminders to keep your teams on task and on time. You can set reminders in software solutions like project management platforms, ITSM software, or a HIPAA compliance solution. Additionally, verify the expiration dates for HIPAA authorizations before releasing any information. Complete a new form if needed. See HIPAA Reference: §164.508(a)(1)-(3), §164.508(b)(6), §164.508(c)(1), §164.508(c)(2), §164.530(j)  

Another preventive method is performing a HIPAA self-assessment. A self-assessment shows any high-risk vulnerabilities or gaps in compliance your facility and network have, so you can then create an action plan to remediate those issues.  

Once you gather information about your teams, operations, processes, and policies through an assessment, you will get insight into any weak points or potential vulnerabilities for breaches, cyberattacks, or HIPAA compliance failures.  

Protect Patients and Your Organization with the Right Tools 

HIPAA violations can be devastating, but there are measures you can take to protect your patients and your organization. Conduct regular HIPAA risk assessments, train your staff correctly, set automated reminders, and implement a HIPAA compliance solution to avoid security gaps. Learn more about how you can stay secure with HIPAA One. 

Frequently Asked Questions

Q. What Are Some Examples of Accidental HIPAA Breaches?

While some HIPAA breaches are caused by malicious actors, many are simply caused by human error or improper protections. For example, an employee might mention a patient’s medical diagnosis to their colleague without realizing that the colleague is not authorized to know about this information. This disclosure would constitute a HIPAA violation, even though the employee had no intention of breaching data protection laws.

Q. Can a HIPAA Violation Occur Via Social Media?

Yes, social media is an increasingly common cause of HIPAA violations. While HIPAA is primarily concerned with health data, it also protects the identity of patients. This can lead to unexpected violations when healthcare providers post on social media for marketing purposes. For example, if a healthcare organization shares a photo of a patient without the patient’s consent, this will be classified as a HIPAA breach. 

Q. What is the Average Fine for a HIPAA Violation?

Fines for a HIPAA breach will depend on both the scope and Tier of the violation; how much PHI was disclosed and how negligent is the organization deemed to have been? For a single violation, the minimum could range from $100 to $50,000 – and there is no upper limit for the worst breaches. We offer a complete guide to HIPAA fines here.