Share this article on:
Barely a day goes by without a news report of a hospital, health plan, or healthcare professional violating HIPAA, but what is a HIPAA violation and what happens when a violation occurs?
What is a HIPAA Violation?
The Health Insurance Portability and Accountability Act of 1996 is a landmark piece of legislation that was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs.
There have been notable updates to HIPAA to improve privacy protections for patients and health plan members over the years which help to ensure healthcare data is safeguarded and the privacy of patients is protected. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.
A HIPAA violation is a failure to comply with any aspect of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164.
The combined text of all HIPAA regulations published by the Department of Health and Human Services Office for Civil Rights runs to 115 pages and contains many provisions. There are hundreds of ways that HIPAA Rules can be violated, although the most common HIPAA violations are:
- Impermissible disclosures of protected health information (PHI)
- Unauthorized accessing of PHI
- Improper disposal of PHI
- Failure to conduct a risk analysis
- Failure to manage risks to the confidentiality, integrity, and availability of PHI
- Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
- Failure to maintain and monitor PHI access logs
- Failure to enter into a HIPAA-compliant business associate agreement with vendors prior to giving access to PHI
- Failure to provide patients with copies of their PHI on request
- Failure to implement access controls to limit who can view PHI
- Failure to terminate access rights to PHI when no longer required
- The disclosure more PHI than is necessary for a particular task to be performed
- Failure to provide HIPAA training and security awareness training
- Theft of patient records
- Unauthorized release of PHI to individuals not authorized to receive the information
- Sharing of PHI online or via social media without permission
- Mishandling and mismailing PHI
- Texting PHI
- Failure to encrypt PHI or use an alternative, equivalent measure to prevent unauthorized access/disclosure
- Failure to notify an individual (or the Office for Civil Rights) of a security incident involving PHI within 60 days of the discovery of a breach
- Failure to document compliance efforts
How are HIPAA Violations Uncovered?
Many HIPAA violations are discovered by HIPAA-covered entities through internal audits. Supervisors may identify employees who have violated HIPAA Rules and employees often self-report HIPAA violations and potential violations by co-workers.
The HHS’ Office for Civil Rights is the main enforcer of HIPAA Rules and investigates complaints of HIPAA violations reported by healthcare employees, patients, and health plan members. OCR also investigates all covered entities who report breaches of more than 500 records and conducts investigations into certain smaller breaches. OCR also conducts periodic audits of HIPAA covered entities and business associates.
State attorneys general also have the power to investigate breaches and investigations are often conducted due to complaints about potential HIPAA violations and when reports of breaches of patient records are received.
What are the Penalties for Violations of HIPAA Rules?
The penalties for violations of HIPAA Rules can be severe. State attorneys general can issue fines up to a maximum of $25,000 per violation category, per calendar year. OCR can issue fines of up to $1.5 million per violation category, per year. Multi-million-dollar fines can be – and have been – issued.
While healthcare providers, health plans, and business associates of covered entities can be fined, there are also potential fines for individuals who violate HIPAA Rules and criminal penalties may be appropriate. A jail term for violating HIPAA is a possibility, with some violations carrying a penalty of up to 10 years in jail.
You can find out more about the penalties for HIPAA violations on this page.
Recent HIPAA violation penalties and the HIPAA penalty structure are detailed in the infographic below.