A HIPAA violation is noncompliance on the part of a HIPAA-covered entity with the standards set by the Health Insurance Portability and Accountability Act of 1996. Examples of HIPAA violations include:
The U.S. Department of Health and Human Services (HHS Office of Civil Rights) enforces HIPAA compliance and determines the appropriate penalties in cases where violations occur.
Here are 10 of the most common HIPAA violations. We’ll divide these violations into two categories:
These are HIPAA violations that incur financial penalties when discovered. Penalties depend on factors such as the gravity of the violation, how long the violation persisted, and the organization’s finances involved, and are usually imposed on a penalty per violation basis.
The Office of Civil Rights (OCR) may impose penalties on a single healthcare professional or on the entire healthcare facility for up to $250,000, depending on the gravity of the violation. These violations include:
HIPAA expects covered healthcare providers to perform a risk analysis to determine the weak spots that may leave their patient information open to compromise. Failure to do this leaves patients’ Protected Health Information (PHI) vulnerable to actions that may undermine its integrity, confidentiality, and availability.
After performing a risk analysis, organizations must have risk management processes where they find themselves vulnerable. This measure is to ensure direct action is taken immediately after the discovery of a breach.
Access to PHI, permitted under HIPAA following its privacy regulations, includes healthcare operations, treatments, and payments. Accessing PHI for any other reason besides these without the patient’s permission is deemed unauthorized and will attract a financial penalty when discovered.
The law expects covered entities to make reasonable efforts to prevent such incidents.
HIPAA expects covered entities to limit access to PHI on a need-to-know basis to reduce the risk of compromise. It imposes a financial penalty on organizations found in violation of this.
Encryption is the safest way to handle data in storage or transport. When data is encrypted, it remains inaccessible even when stolen (unless the decryption key is stolen, too), rendering such data useless for any malicious purpose.
Though HIPAA does not mandate encryption, organizations should still implement such measures or their equivalent to secure their data.
HIPAA security regulations allow organizations to report it up to 60 days after a security breach. Failure to report a breach within the deadline could result in a financial penalty.
HIPAA expects covered entities to enter HIPAA-compliant business associate agreements with all vendors that handle PHI. This measure can be considered compliance for vendors and ensures that such vendors handle health information as stipulated by HIPAA, even when they’re not covered entities.
HIPAA mandates covered entities to provide privacy and security training for their employees and to document the activity. Covered entities can get penalized if the government deems the compliance training of their employees inadequate.
However, if the covered entity can prove that it did train its employees by providing the necessary documentation, then the court could decide that the specific employee in question should incur the penalties.
Covered entities must ensure that PHI is disposed of appropriately to avoid it falling into the wrong hands. Businesses need to dispose of physical (paper) records and make sure that digital records are deleted with no possibility of a copy existing.
The use of social media in a way that may disclose a patient’s private information is considered a HIPAA violation. Covered entities should take care to limit the use of social media in places that may compromise the organization.
Here are a few violations that do not result in any financial penalty but a corrective action plan. These include:
● Discussing a patient’s PHI where other parties can hear it.
● Charging a patient unreasonably for a copy of their PHI.
HIPAA violations come with penalties that may be monetary (for civil violations) and can result in jail time (for criminal violations). The fines from these penalties mostly compensate the unfortunate victims of these violations.
These are penalties imposed when a covered entity, unknowingly or by carelessness, fails to comply with HIPAA standards. Civil penalties are divided into four tiers of increasing levels of culpability, including:
These violations result from genuine ignorance, where the organization could prove they (or their employees) had no knowledge of the violation.
Want to get your employees trained in HIPAA compliance? Check out our list of the top HIPAA certification programs.
In Tier 2, the covered entity is or should have been aware that its actions violate HIPAA but didn’t do it out of carelessness.
Here, the violation results from neglect on the part of a covered entity but is discovered and corrected within 30 days.
The violation results from carelessness, and the covered entity did not take corrective action within 30 days.
Criminal penalties are imposed on individual health practitioners who knowingly violate HIPAA. These violations result in criminal charges, and penalties may include monetary fines, jail time, or both.
There are three tiers of criminal violations:
Here, the individual was unaware or should’ve known that their action violated HIPAA.
Here, the individual or organization obtained PHI under pretenses and went ahead and disclosed it, knowing that such action violates the provisions of HIPAA.
A third-tier violation occurs when an organization obtains PHI under pretenses but does so with the plan to transfer data for personal gain or malicious purposes.
Carrying out actions designated as HIPAA violations results in one thing: wrongful disclosure of Protected Health Information. Not only does that violate patient privacy, but it may also result in many consequences, depending on the actors involved. Common examples of these consequences include blackmailing the patient, identity theft, cyber-attacks, and the like.
It is in the interest of a covered entity to avoid HIPAA violations, considering not just the penalties involved but also the dangers it may expose patients to. Here are tips on how to do that.
HIPAA compliance for covered entities means being audit-ready at all times and entails the following:
Healthcare employees can be as liable for HIPAA violations as covered entities and should be mindful of the following:
Perimeter81 has a suite of security solutions that offers your organization complete visibility into on-premise or cloud resources. Extra security measures like 2FA mean you no longer have to worry about the loss of or unauthorized access to your health
care records. Add its strong data encryption serving as an additional layer of security, and the HIPAA Breach Notification rule becomes a thing of the past.
Thinking of nailing your compliance requirements and improving your compliance posture? Check out Perimeter81’s regulatory compliance solutions.
Want to get the latest updated information on staying HIPAA-compliant? Download our checklist.