10 Most Common HIPAA Violations You Should Avoid

What is a HIPAA Violation?

A HIPAA violation is noncompliance on the part of a HIPAA-covered entity with the standards set by the Health Insurance Portability and Accountability Act of 1996. Examples of HIPAA violations include:

  • Unauthorized access to Protected Health Information (PHI) 
  • Failure to perform an organization-wide risk assessment 
  • Lack of a risk management process 
  • Inadequate ePHI access control 
  • Failure to use encryption 
  • Impermissible disclosure of PHI 

The 10 Most Common Violations

The U.S. Department of Health and Human Services (HHS Office of Civil Rights) enforces HIPAA compliance and determines the appropriate penalties in cases where violations occur. 

Here are 10 of the most common HIPAA violations. We’ll divide these violations into two categories: 

  • Violations that incur financial penalties 
  • Violations that do not incur financial penalties 

Violations that Incur Financial Penalties

These are HIPAA violations that incur financial penalties when discovered. Penalties depend on factors such as the gravity of the violation, how long the violation persisted, and the organization’s finances involved, and are usually imposed on a penalty per violation basis.

The Office of Civil Rights (OCR) may impose penalties on a single healthcare professional or on the entire healthcare facility for up to $250,000, depending on the gravity of the violation. These violations include:

Non-Performance of an Organization-Wide Risk Analysis ($100,000 – $6,500,000)

HIPAA expects covered healthcare providers to perform a risk analysis to determine the weak spots that may leave their patient information open to compromise. Failure to do this leaves patients’ Protected Health Information (PHI) vulnerable to actions that may undermine its integrity, confidentiality, and availability. 

Lack of a Risk Management Process ($150,000 – $1,700,000)

After performing a risk analysis, organizations must have risk management processes where they find themselves vulnerable. This measure is to ensure direct action is taken immediately after the discovery of a breach. 

Unauthorized Access to PHI

Access to PHI, permitted under HIPAA following its privacy regulations, includes healthcare operations, treatments, and payments. Accessing PHI for any other reason besides these without the patient’s permission is deemed unauthorized and will attract a financial penalty when discovered. 

The law expects covered entities to make reasonable efforts to prevent such incidents. 

Inadequate Access Control for the Electronic Form of PHI (ePHI) ($111,400 – $5,500,000)

HIPAA expects covered entities to limit access to PHI on a need-to-know basis to reduce the risk of compromise. It imposes a financial penalty on organizations found in violation of this.

Failure to Use Encryption or its Equivalent ($650,000 – $3,200,000)

Encryption is the safest way to handle data in storage or transport. When data is encrypted, it remains inaccessible even when stolen (unless the decryption key is stolen, too), rendering such data useless for any malicious purpose. 

Though HIPAA does not mandate encryption, organizations should still implement such measures or their equivalent to secure their data. 

Reporting Breaches Past the 60-Day Deadline ($130,000 – $875,000)

HIPAA security regulations allow organizations to report it up to 60 days after a security breach. Failure to report a breach within the deadline could result in a financial penalty. 

Failure to Enter HIPAA-Compliant Business Associate Agreement

HIPAA expects covered entities to enter HIPAA-compliant business associate agreements with all vendors that handle PHI. This measure can be considered compliance for vendors and ensures that such vendors handle health information as stipulated by HIPAA, even when they’re not covered entities. 

Lack of Employee Training

HIPAA mandates covered entities to provide privacy and security training for their employees and to document the activity. Covered entities can get penalized if the government deems the compliance training of their employees inadequate.

However, if the covered entity can prove that it did train its employees by providing the necessary documentation, then the court could decide that the specific employee in question should incur the penalties.

Improper Disposal of PHI

Covered entities must ensure that PHI is disposed of appropriately to avoid it falling into the wrong hands. Businesses need to dispose of physical (paper) records and make sure that digital records are deleted with no possibility of a copy existing. 

Reckless Use of Social Media

The use of social media in a way that may disclose a patient’s private information is considered a HIPAA violation. Covered entities should take care to limit the use of social media in places that may compromise the organization. 

Violations Without Financial Penalties

Here are a few violations that do not result in any financial penalty but a corrective action plan. These include: 

● Discussing a patient’s PHI where other parties can hear it. 

● Charging a patient unreasonably for a copy of their PHI.

What are the Penalties for HIPAA Violations?

HIPAA violations come with penalties that may be monetary (for civil violations) and can result in jail time (for criminal violations). The fines from these penalties mostly compensate the unfortunate victims of these violations.

Civil Penalties

These are penalties imposed when a covered entity, unknowingly or by carelessness, fails to comply with HIPAA standards. Civil penalties are divided into four tiers of increasing levels of culpability, including:

Lack of Knowledge (Tier 1)

These violations result from genuine ignorance, where the organization could prove they (or their employees) had no knowledge of the violation.

Want to get your employees trained in HIPAA compliance? Check out our list of the top HIPAA certification programs.

Reasonable Cause without Willful Negligence (Tier 2)

In Tier 2, the covered entity is or should have been aware that its actions violate HIPAA but didn’t do it out of carelessness. 

Willful Negligence, Corrected in 30 Days

Here, the violation results from neglect on the part of a covered entity but is discovered and corrected within 30 days.

Willful Negligence But Not Corrected in 30 Days

The violation results from carelessness, and the covered entity did not take corrective action within 30 days. 

Level of Violation Minimum Penalty ($) Maximum Penalty ($)Annual Cap ($)
Tier 1 $127 $63,973 $1,919,173
Tier 2 $1,280$63,973$ 1,919,173
Tier 3 $12,794 $63,973 $1,919,173
Tier 4$63,973 $1,919,173 $1,919,173
Table 1. Civil penalty tiers

Criminal Penalties

Criminal penalties are imposed on individual health practitioners who knowingly violate HIPAA. These violations result in criminal charges, and penalties may include monetary fines, jail time, or both. 

There are three tiers of criminal violations: 

Wrongful Disclosure of PHI (Tier 1)

Here, the individual was unaware or should’ve known that their action violated HIPAA. 

Wrongful Disclosure of PHI Under False Pretences (Tier 2)

Here, the individual or organization obtained PHI under pretenses and went ahead and disclosed it, knowing that such action violates the provisions of HIPAA.

Wrongful Disclosure of PHI under False Pretenses with Malicious Intent (Tier 3)

A third-tier violation occurs when an organization obtains PHI under pretenses but does so with the plan to transfer data for personal gain or malicious purposes.

Level of violation Maximum monetary penalty($) Maximum jail time
Tier 1 $50,0001 year
Tier 2 $100,005 years
Tier 3$250,00010 years
Table 2. Criminal penalty tiers

How Does it Affect Patients?

Carrying out actions designated as HIPAA violations results in one thing: wrongful disclosure of Protected Health Information. Not only does that violate patient privacy, but it may also result in many consequences, depending on the actors involved. Common examples of these consequences include blackmailing the patient, identity theft, cyber-attacks, and the like.

How to Avoid HIPAA Violations

It is in the interest of a covered entity to avoid HIPAA violations, considering not just the penalties involved but also the dangers it may expose patients to. Here are tips on how to do that. 

Tips for Covered Entities

HIPAA compliance for covered entities means being audit-ready at all times and entails the following: 

  • Implementing adequate access control for both physical files and electronic health records 
  • Ensuring proper employee training, with documented evidence to prove it 
  • Ensuring that vendors and other business associates are bound by HIPAA-compliant agreements
  • Ensuring that organization-wide risk analyses are carried out at intervals to determine potential risks 
  • Ensuring that a risk management plan is in place at all times 
  • Carrying out periodic audits to ensure that the organization maintains a good compliance posture 
  • Ensuring proper disposal of PHI records when needed. 
  • Honoring patients’ medical records requests 

Tips for Employees, Healthcare Providers, and Contractors

Healthcare employees can be as liable for HIPAA violations as covered entities and should be mindful of the following: 

  • Reckless use of social media to share things that may amount to wrongful disclosure 
  • Avoiding discussing patients with unauthorized parties 
  • Ensuring that PHI access devices and patient files are never left unattended to avoid loss or theft 
  • Avoiding accessing PHI without authorization 
  • Prevention of Inadvertent release of PHI to unauthorized parties 
  • Avoiding giving access to co-workers with no access rights 

How Perimeter81 Helps You Avoid HIPAA Violations and Fines

Perimeter81 has a suite of security solutions that offers your organization complete visibility into on-premise or cloud resources. Extra security measures like 2FA mean you no longer have to worry about the loss of or unauthorized access to your health

care records. Add its strong data encryption serving as an additional layer of security, and the HIPAA Breach Notification rule becomes a thing of the past. 

Thinking of nailing your compliance requirements and improving your compliance posture? Check out Perimeter81’s regulatory compliance solutions.

Want to get the latest updated information on staying HIPAA-compliant? Download our checklist.

FAQs

What are the ten most common HIPAA violations?
Some of the most common violations include the following: 
● Failure to use encryption 
● Inadequate ePHI access control 
● Inadequacies in employee training 
● Loss or theft of portable devices (with PHI access) 
● Improper disposal of PHI 
● Non-compliant business associate agreements 
● Unauthorized access to PHI 
● Failure to carry out organization-wide risk analysis 
● Lack of a risk management plan 
● Reckless use of social media 
● Discussing medical records with unauthorized individuals
Are HIPAA violations common?
Yes, HIPAA violations are widespread. Something as simple as posting photos of hospital hallways, or the loss of a device that has access to PHI, can be a HIPAA violation.
What is the most severe HIPAA violation?
In HIPAA, the severity of a violation increases with the entity’s level of awareness and the time taken to initiate remediation actions. 
Considering this, the most severe HIPAA violations are those done willfully with late remediation efforts (for civil violations), malicious intent, or hope of personal gain (criminal violations). An example is disclosing healthcare records with the intent to cause embarrassment.
How are HIPAA violations discovered?
HIPAA violations are discovered through one of the following ways: 
Employee self-report – when an employee realizes they have violated HIPAA and reports the violation to the organization’s privacy officer or compliance officer. 
Employee reporting another employee – when an employee reports a potential violation by another employee to the organization’s privacy officer or compliance officer. 
Internal Audit – an organization audits its compliance status to know where it may have become non-compliant. For this, it may engage the services of a compliance agency or service. HIPAA also mandates organizations report certain violations to the HHS Office for Civil Rights. 
Office of Civil Rights (OCR) audit – when the OCR initiates an investigation on the strength of a report made by an organization or a private individual, taking enforcement actions when necessary. 
How do you report a HIPAA violation?
Anybody can report a HIPAA violation through these two channels:

1. Reporting Internally – Internal reports are the first step after discovering a violation. If you’re a covered entity you need to report it to your compliance office right away. The compliance officer is then expected to investigate the violation and take corrective actions immediately or to report to the OCR if needed.
2. Reporting to the OCR – When an employee makes a report internally and sees no remedial action after a reasonable amount of time, HIPAA permits an employee to bypass the covered entity and report the violation to the OCR directly. It also protects the employee from any retaliatory measures that the covered entity may bring on them. After this, the OCR retains the prerogative to determine whether the complaint has merit and whether to offer technical assistance or take enforcement actions. 
What does “reduce risk to an appropriate and acceptable level” mean?
It is impossible to eliminate risk from any process, and there must always be a level of risk involved. Therefore “reducing risk to an appropriate and acceptable level” means eliminating the risk inherent in a process to such a level that a covered entity can bear the associated consequences.
What counts as HIPAA violations by employees?
The following counts as HIPAA violations by employees: 
● Access to PHI without patient authorization 
● Disclosure of PHI after the authorization period 
● Disclosure of PHI to an authorized party 
● Stolen or lost PHI access devices 
● Reckless use of social media 
What constitutes a HIPAA violation by business associates?
Business associates violate HIPAA when they fail to issue a breach notification to the covered entity within 60 days of the breach.