Examples of Avoidable HIPAA Violations by Employers
Examples of HIPAA violations by employers are easy to find because almost every avoidable HIPAA violation is indirectly attributable to an employer’s failure to implement adequate privacy and security measures, failure to effectively train members of the workforce, or failure to monitor HIPAA compliance. Over the next few years, these failures may become expensive for employers in – or providing a service to – the healthcare industry.
Employers in their role as a covered entity or business associate have the ultimate responsibility for HIPAA compliance. They are responsible for complying with all applicable federal and state regulations, for developing workplace policies and procedures, and for ensuring the policies and procedures are complied with. While these responsibilities may sometimes be delegated to a third party, employers are usually responsible for selecting the third party.
When avoidable HIPAA violations occur, they represent a compliance failure by an employer. Although the violations most often manifest as a data breach, unauthorized access to PHI, or an impermissible disclosure, the root cause is more likely to be the failure to conduct an accurate and thorough risk analysis, identify reasonably anticipated threats and vulnerabilities, and implement adequate measures to prevent violations attributable to the threats and vulnerabilities.
Avoidable vs. Unavoidable HIPAA Violations
To best explain why avoidable HIPAA violations are examples of HIPAA violations by employers, it is important to distinguish between avoidable and unavoidable HIPAA violations.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Avoidable HIPAA violations are those in which reasonably anticipated threats exist, but they are not identified in a risk assessment or inadequate measures are implemented to prevent them. Examples of HIPAA violations by employers in this category include data breaches attributable to “Hacking/IT Incidents” where the risk of remote, unauthorized access has been identified, but the employer has failed to implement a robust password policy supported by two-factor-authentication.
Unavoidable HIPAA violations occur when an employer has conducted an accurate and thorough risk analysis, and implemented measures to prevent HIPAA violations, but violations still occur. Examples of unavoidable HIPAA violations include when a healthcare professional accidently discloses more than the minimum necessary PHI, or when a member of the IT team misuses their login privileges to steal a database of medical records and sell it on the Internet.
How Many Avoidable HIPAA Violations Occur Each Year?
It is impossible to determine how many avoidable HIPAA violations occur each year because most violations are reported internally – either by a member of the workforce to their supervisor or by a member of the public to the organization’s Privacy Officer. Relatively few HIPAA violations that do not involve data breaches are reported to – or escalated to – HHS’ Office of Civil Rights (around 5,000 per year), and these mostly relate to impermissible disclosures or the denial of patients’ HIPAA rights.
All data breaches have to be notified to HHS’ Office for Civil Rights. The majority of data breaches qualify as examples of HIPAA violations by employers because 75% of breaches affecting 500 or more individuals are attributable to Hacking/IT Incidents (per 2021 report) – of which 80% are attributable to brute force attacks on weak passwords and employee susceptibility to phishing. Both causes can be avoided by implementing a robust password policy supported by two-factor-authentication.
Specific Examples of HIPAA Violations by Employers
In 2021 – the most recent year for which data is currently available – HHS’ Office for Civil Rights (OCR) received more than 64,000 notifications of data breaches. However, it is only possible to view the details of around 600 of these data breaches because OCR is only required to publish details of data breaches affecting 500 or more individuals. These specific examples of HIPAA violations by employers can be found in the Archive section of the HHS Breach Report and include:
- In December 2021, the Barlow Respiratory Hospital in Los Angeles notified OCR of a ransomware attack affecting more than 10,000 individuals. OCR responded by providing “technical assistance regarding the HIPAA Rules” – implying the employer had not complied with all applicable regulations.
- In November 2021, the Howard University College of Dentistry in DC notified OCR of a ransomware attack affecting more than 80,000 individuals. The breach report reads “the CE implemented additional administrative, physical, and technical safeguards to better protect PHI” – implying adequate measures did not exist beforehand.
- In October 2021, an employee of the Community Eye Center of North Carolina was the victim of an email phishing attack that compromised the PHI of 149,804 individuals. In response to the breach, “staff were retrained on email security” – something that should have been part of an ongoing security awareness training program.
- In September 2021, an employee of the Kentucky-based health plan – Humana Inc. – emailed the PHI of 948 individuals to the wrong recipients. This type of data breaches occurs frequently and is a reasonably anticipated threat that can be avoided with properly configured Data Loss Prevention for email.
Somewhat surprisingly, in 2021 only two data breaches resulted in a financial penalty. A further twelve financial penalties were issued for Right of Access failures. While not all of the remaining ~70,000 complaints and notifications were examples of HIPAA violations by employers, the impression is that OCR does not have adequate resources to effectively enforce HIPAA compliance. However, that might soon be about to change – making non-compliance expensive for employers.
Potential Changes to HIPAA Enforcement in 2025
There are two potential changes to HIPAA enforcement in 2025. The first relates to the “settlement sharing” requirement of the HITECH Act which is yet to be actioned due to the challenges of defining harm and settling on a fair method of settlement sharing. OCR issued a Request for Information in 2022 to move forward with this requirement; and, if the challenges are addressed, OCR could come under pressure from victims of data breaches to issue more financial penalties for HIPAA violations.
More recently, in December 2023, OCR published a Healthcare Sector Cybersecurity Strategy which includes proposals to develop new Security Rule standards to combat cybercrime. Not only will noncompliance with the new Security Rule standards be proactively sanctioned by OCR, but noncompliance could also result in expulsion from CMS’ Medicare program – potentially a more expensive financial penalty for employers in – or providing a service to – the healthcare industry.
Covered entities and business associates concerned that the examples of HIPAA violations by employers mentioned in this article might in future be punishable by financial penalties – or might affect their future eligibility for participation in Medicare – are advised to seek professional HIPAA compliance advice.
