Share this article on:
The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI.
The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules.
This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years.
Are Data Breaches HIPAA Violations?
Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare organizations are being targeted by cybercriminals and that it is not possible to implement impregnable security defenses.
Being HIPAA compliant is not about making sure that data breaches never happen. HIPAA compliance is about reducing risk to an appropriate and acceptable level. Just because an organization experiences a data breach, it does not mean the breach was the result of a HIPAA violation.
The OCR breach portal now reflects this more clearly. Many data breaches are investigated by OCR and are found not to involve any violations of HIPAA Rules. Consequently, the investigations are closed without any action being taken.
How are HIPAA Violations Discovered?
HIPAA violations can continue for many months, or even years, before they are discovered. The longer they are allowed to persist, the greater the penalty will be when they are eventually discovered. It is therefore important for HIPAA-covered entities to conduct regular HIPAA compliance reviews to make sure HIPAA violations are discovered and corrected before they are identified by regulators.
There are three main ways that HIPAA violations are discovered:
- Investigations into a data breach by OCR (or state attorneys general)
- Investigations into complaints about covered entities and business associates
- HIPAA compliance audits
Even when a data breach does not involve a HIPAA violation, or a complaint proves to be unfounded, OCR may uncover unrelated HIPAA violations that could warrant a financial penalty.
What are the Most Common HIPAA Violations?
Listed below are 5 of the most common HIPAA violations, together with examples of HIPAA-covered entities and business associates that have been discovered to be in violation of HIPAA Rules and have had to settle those violations with OCR and state attorneys general. In many cases, investigations have uncovered multiple HIPAA violations. The settlement amounts reflect the seriousness of the violation, the length of time the violation has been allowed to persist, the number of violations identified, and the financial position of the covered entity/business associate.
Failure to Perform an Organization-Wide Risk Analysis
The failure to perform an organization wide risk analysis is arguably the most common HIPAA violation, and one that frequently results in financial settlements with OCR. If the risk analysis is not performed regularly, organizations will not be able to determine whether any vulnerabilities to the confidentiality, integrity, and availability of PHI exist. Risks are therefore likely to remain unaddressed, leaving the door wide open to hackers.
HIPAA settlements with covered entities for the failure to conduct an organization-wide risk assessment include:
- Oregon Health & Science University– $2.7 million settlement for the lack of an enterprise-wide risk analysis.
- Cardionet – $2.5 million settlement for an incomplete risk analysis and lack of risk management processes.
- Cancer Care Group – $750,000 settlement for the failure to conduct an enterprise-wide risk analysis.
- Lahey Hospital and Medical Center – $850,000 settlement for the failure to conduct an organization-wide risk assessment and other HIPAA violations.
Failure to Enter into a HIPAA-Compliant Business Associate Agreement
The failure to enter into a HIPAA-compliant business associate agreement with all vendors that are provided with or given access to PHI is another of the most common HIPAA violations. Even when business associate agreements are held for all vendors, they may not be HIPAA compliant, especially if they have not been revised after the Omnibus Final Rule.
Notable settlements for these common HIPAA violations include:
- Raleigh Orthopaedic Clinic, P.A. of North Carolina – $750,000 settlement for the failure to execute a HIPAA-compliant business associate agreement.
- North Memorial Health Care of Minnesota – $1.55 million settlement for failing to enter into a BAA with a major contractor and other HIPAA violations.
- Care New England Health System– $400,000 settlement for the failure to update business associate agreements
Failure to Use Encryption or an Equivalent Measure to Safeguard ePHI on Portable Devices
One of the most effective methods of preventing data breaches is to encrypt PHI. Breaches of encrypted PHI are not reportable security incidents unless the key to decrypt data is also stolen. Encryption is not mandatory under HIPAA Rules, but it cannot be ignored. If the decision is taken not to use encryption, an alternative, equivalent security measure must be used in its place.
Recent settlements for the failure to safeguard PHI include:
- Children’s Medical Center of Dallas – $3.2 million civil monetary penalty for failing to take action to address known risks, including the failure to use encryption on portable devices.
- Catholic Health Care Services of the Archdiocese of Philadelphia– $650,000 settlement for the failure to use encryption, the failure to conduct an enterprise wide risk analysis, and to manage risks.
Exceeding the 60-Day Deadline for Issuing Breach Notifications
The HIPAA Breach Notification Rule requires covered entities to issue notifications of breaches without unnecessary delay, and certainly no later than 60 days following the discovery of a data breach. Exceeding that time frame is one of the most common HIPAA violations, which has seen two penalties issued this year:
- Presence Health – $475,000 settlement for delaying the issuing of breach notifications by a month.
- CoPilot Provider Support Services Inc. – $130,000 settlement with NY Attorney General for delayed breach notifications.
Impermissible Disclosures of Protected Health Information
Any disclosure of protected health information that is not permitted under the HIPAA Privacy Rule can attract a financial penalty. This violation category includes disclosing PHI to a patient’s employer, potential disclosures following the theft or loss of unencrypted laptop computers, careless handling of PHI, disclosing PHI unnecessarily, not adhering to the ‘minimum necessary’ standard, and disclosures of PHI after patient authorizations have expired.
Two notable settlements include:
- Memorial Hermann Health System – $2.4 million settlement for disclosing a patient’s PHI in a press release.
- Luke’s-Roosevelt Hospital Center – $387,000 settlement for careless handling of PHI/Disclosure of a patient’s HIV status to their employer.
|Reported HIPAA Violations by Type and Year (01.01.14 to 04.01.18)|
|Theft (both Internal and External)||122||81||62||57||14|
|Loss (of Device or Paper Records)||31||23||16||16||7|