Share this article on:
Barely a day goes by without a news report of a hospital, health plan, or healthcare professional violating HIPAA, but what is a HIPAA violation and what happens when a violation occurs?
What is a HIPAA Violation?
The Health Insurance Portability and Accountability Act of 1996 is a landmark piece of legislation that was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs.
There have been notable updates to HIPAA to improve privacy protections for patients and health plan members over the years which help to ensure healthcare data is safeguarded and the privacy of patients is protected. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.
A HIPAA violation is a failure to comply with any aspect of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164.
The combined text of all HIPAA regulations published by the Department of Health and Human Services Office for Civil Rights runs to 115 pages and contains many provisions. There are hundreds of ways that HIPAA Rules can be violated, although the most common HIPAA violations are:
- Impermissible disclosures of protected health information (PHI)
- Unauthorized accessing of PHI
- Improper disposal of PHI
- Failure to conduct a risk analysis
- Failure to manage risks to the confidentiality, integrity, and availability of PHI
- Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
- Failure to maintain and monitor PHI access logs
- Failure to enter into a HIPAA-compliant business associate agreement with vendors prior to giving access to PHI
- Failure to provide patients with copies of their PHI on request
- Failure to implement access controls to limit who can view PHI
- Failure to terminate access rights to PHI when no longer required
- The disclosure more PHI than is necessary for a particular task to be performed
- Failure to provide HIPAA training and security awareness training
- Theft of patient records
- Unauthorized release of PHI to individuals not authorized to receive the information
- Sharing of PHI online or via social media without permission
- Mishandling and mismailing PHI
- Texting PHI
- Failure to encrypt PHI or use an alternative, equivalent measure to prevent unauthorized access/disclosure
- Failure to notify an individual (or the Office for Civil Rights) of a security incident involving PHI within 60 days of the discovery of a breach
- Failure to document compliance efforts
It is important that anybody with access to PHI in an organization is provided with HIPAA training that explains the potential types of HIPAA violations.
How are HIPAA Violations Uncovered?
Many HIPAA violations are discovered by HIPAA-covered entities through internal audits. Supervisors may identify employees who have violated HIPAA Rules and employees often self-report HIPAA violations and potential violations by co-workers.
The HHS’ Office for Civil Rights is the main enforcer of HIPAA Rules and investigates complaints of HIPAA violations reported by healthcare employees, patients, and health plan members. OCR also investigates all covered entities who report breaches of more than 500 records and conducts investigations into certain smaller breaches. OCR also conducts periodic audits of HIPAA covered entities and business associates.
State attorneys general also have the power to investigate breaches and investigations are often conducted due to complaints about potential HIPAA violations and when reports of breaches of patient records are received.
What are the Penalties for Violations of HIPAA Rules?
The penalties for violations of HIPAA Rules can be severe. State attorneys general can issue fines up to a maximum of $25,000 per violation category, per calendar year. OCR can issue fines of up to $1.5 million per violation category, per year. Multi-million-dollar fines can be – and have been – issued.
While healthcare providers, health plans, and business associates of covered entities can be fined, there are also potential fines for individuals who violate HIPAA Rules and criminal penalties may be appropriate. A jail term for violating HIPAA is a possibility, with some violations carrying a penalty of up to 10 years in jail.
You can find out more about the penalties for HIPAA violations on this page.
Recent HIPAA violation penalties and the HIPAA penalty structure are detailed in the infographic below.
HIPAA Violation Penalties
How can you tell if an organization is in violation of HIPAA?
Covered entities and business associates are required by HIPAA to conduct risk analyses on a regular basis. The risk analyses should identify any areas of non-compliance which indicate the organization is in violation of HIPAA. The failure to conduct and document a risk analysis is a violation of HIPAA itself, as is failing to address issues identified by a risk analysis.,
What is the difference between a risk assessment and a risk analysis?
While most entities would consider a risk assessment to be an investigation of possible threats, and a risk analysis a calculation of how likely those threats are to occur, there is a lack of clarity in HIPAA. For example, under the risk analysis section of the Security Rule Administrative Safeguards (45 CFR § 164.308(a)) covered entity or business associate must: “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”,
Who can violate HIPAA?
Anyone who is covered by the HIPAA regulations can violate HIPAA. However, there has been some confusion – especially during the COVID-19 pandemic – about who exactly is covered by HIPAA. Entities required to comply with HIPAA are health plans, healthcare clearinghouse, and healthcare organizations that engage in qualifying electronic transactions (most now do). Business Associates and contractors providing a service to Covered Entities can also violate HIPAA.
The requirement to comply with HIPAA regulations also applies to all workforces of a Covered Entity, Business Associate, or contractor. HIPAA defines a workforce as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate”.
When potential risks and vulnerabilities are identified, what happens next?
Also under 45 CFR § 164.308(a), covered entities and businesses associates are required to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. In order to determine what constitutes a “reasonable and appropriate level”, organizations should take into account (per 45 CFR § 164.306(b)):
- The size, complexity, and capabilities of the organization
- The organization´s technical infrastructure, hardware, and software security capabilities
- The cost of reasonable and appropriate security measures
- The probability and criticality of potential risks to the integrity of ePHI”
What does the “criticality of potential risks” mean?
The term criticality of potential risks refers to the scale of injury that might be caused by a HIPAA violation. For example, a cloud storage volume – containing the payment details and Social Security numbers of thousands of patients – left open to the public Internet has the potential to cause more injury than two nurses discussing the treatment options for patient A within earshot of patient B.