The Most Common HIPAA Violations You Should Avoid
The most common HIPAA violations that have resulted in financial penalties are:
- Snooping on Healthcare Records
- Failure to Perform an Organization-Wide Risk Analysis
- Failure to Manage Security Risks / Lack of a Risk Management Process
- Denying Patients’ Access to Health Records/Exceeding Timescale for Providing Access
- Failure to Enter into a HIPAA-Compliant Business Associate Agreement
- Insufficient ePHI Access Controls
- Failure to Use Encryption or an Equivalent Measure to Safeguard ePHI on Portable Devices
- Exceeding the 60-Day Deadline for Issuing Breach Notifications
- Impermissible Disclosures of Protected Health Information
- Improper Disposal of PHI
All the above HIPAA violations have resulted in settlements with covered entities and their business associates over the past few years. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules.
What are the 10 Most Common HIPAA Violations?
Listed below are 10 of the most common HIPAA violations, together with examples of HIPAA-covered entities and business associates that have been discovered to be in violation of HIPAA Rules and have had to settle those violations with OCR and state attorneys general. In many cases, investigations have uncovered multiple HIPAA violations. The settlement amounts reflect the seriousness of the violation, the length of time the violation has been allowed to persist, the number of violations identified, and the financial position of the covered entity/business associate.
Snooping on Healthcare Records
Accessing the health records of patients for reasons other than those permitted by the Privacy Rule is a violation of patient privacy. Snooping on healthcare records of family, friends, neighbors, co-workers, and celebrities is one of the most common HIPAA violations committed by employees. When discovered, these violations can result in termination of employment but could also result in criminal charges for the employee concerned. Financial penalties for healthcare organizations that have failed to prevent snooping are relatively uncommon, but they are possible – as the University of California Los Angeles Health System discovered.
University of California Los Angeles Health System was fined $865,000 for failing to restrict access to medical records. The healthcare provider was investigated following the discovery that a physician had accessed the medical records of celebrities and other patients without authorization. Dr. Huping Zhou accessed the records of patients without authorization 323 times after learning that he would soon be dismissed. Dr. Zhou became the first healthcare employee to be jailed for a HIPAA violation and was sentenced to four months in federal prison.
Failure to Perform an Organization-Wide Risk Analysis
The failure to perform an organization-wide risk analysis is one of the most common HIPAA violations to result in a financial penalty. If the risk analysis is not performed regularly, organizations will not be able to determine whether any vulnerabilities to the confidentiality, integrity, and availability of PHI exist. Risks are therefore likely to remain unaddressed, leaving the door wide open for violations to occur.
HIPAA settlements with covered entities for the failure to conduct an organization-wide risk assessment include:
- Premera Blue Cross– $6,850,000 settlement for risk analysis and risk management failures, and other potential HIPAA violations
- Excellus Health Plan – $5,100,000 settlement for risk analysis and risk management failures, and other potential HIPAA violations
- Oregon Health & Science University– $2.7 million settlement for the lack of an enterprise-wide risk analysis.
- Cardionet – $2.5 million settlement for an incomplete risk analysis and lack of risk management processes.
- Cancer Care Group – $750,000 settlement for the failure to conduct an enterprise-wide risk analysis.
- Lahey Hospital and Medical Center – $850,000 settlement for the failure to conduct an organization-wide risk assessment and other HIPAA violations.
- Steven A. Porter, M.D – $100,000 penalty for risk analysis and risk management failures.
Failure to Manage Security Risks / Lack of a Risk Management Process
Performing a risk analysis is essential, but it is not just a checkbox item for compliance. Risks that are identified must then be subjected to a risk management process. They should be prioritized and addressed in a reasonable time frame. Knowing about risks to PHI and failing to address them one of the most common HIPAA violations penalized by the Office for Civil Rights.
HIPAA settlements with covered entities for the failure to manage identified risks include:
- Alaska Department of Health and Social Services – $1.7 million penalty for the failure to perform risk analysis and risk management failures.
- University of Massachusetts Amherst (UMass) – $650,000 penalty for risk management failures.
- Metro Community Provider Network – $400,000 penalty for risk management failures.
Denying Patients Access to Health Records/Exceeding Timescale for Providing Access
The HIPAA Privacy Rule gives patients the right to access their medical records and obtain copies on request. This allows patients to check their records for errors and share them with other entities and individuals. Denying patients access to health records, overcharging for copies, or failing to provide records within 30 days is a violation of HIPAA. OCR made HIPAA Right of Access violations one of its key enforcement objectives in late 2019.
HIPAA settlements with covered entities for denying patients access to their records or unnecessary delays in providing access include:
- Great Expressions Dental Center of Georgia, P.C. – $80,000 penalty for excessive charges for a copy of PHI and delay in providing records.
- Cignet Health of Prince George’s County – $4,300,000 penalty for denying patients access to their medical records.
- Banner Health – $200,000 penalty for the delayed response to a patient’s request for a copy of their medical records.
- Dignity Health, dba St. Joseph’s Hospital and Medical Center – $160,000 penalty for a delayed response to a patient’s request for a copy of their medical records.
- NY Spine – $100,000 penalty for the delayed response to a patient’s request for a copy of their medical records.
- Beth Israel Lahey Health Behavioral Services – $70,000 penalty for the delayed response to a patient’s request for a copy of their medical records.
- University of Cincinnati Medical Center – $65,000 penalty for the delayed response to a patient’s request for a copy of their medical records.
- Housing Works Inc – $38,000 penalty for the delayed response to a patient’s request for a copy of their medical records.
- Peter Wrobel, M.D., P.C., dba Elite Primary Care – $36,000 penalty for a delayed response to a patient’s request for a copy of their medical records.
- Riverside Psychiatric Medical Group – $25,000 penalty for a delayed response to a patient’s request for a copy of their medical records.
- Dr. Rajendra Bhayani – $15,000 penalty for the delayed response to a patient’s request for a copy of their medical records.
- All Inclusive Medical Services Inc – $15,000 penalty for the delayed response to a patient’s request for a copy of their medical records.
- Wise Psychiatry, PC – $10,000 penalty for the delayed response to a patient’s request for a copy of their medical records.
- King MD – $3,500 penalty for the delayed response to a patient’s request for a copy of their medical records.
- OCR Announces 11 Enforcement Actions – One CMP and 10 settlements were announced by OCR in July 2021 to resolve Right of Access violations.
Failure to Enter into a HIPAA-Compliant Business Associate Agreement
The failure to enter into a HIPAA-compliant business associate agreement with all vendors that are provided with or given access to PHI is another of the most common HIPAA violations. Even when business associate agreements are held for all vendors, they may not be HIPAA compliant, especially if they have not been revised after the Omnibus Final Rule.
Notable settlements for these common HIPAA violations include:
- Raleigh Orthopedic Clinic, P.A. of North Carolina – $750,000 settlement for the failure to execute a HIPAA-compliant business associate agreement.
- North Memorial Health Care of Minnesota – $1.55 million settlement for failing to enter into a BAA with a major contractor and other HIPAA violations.
- Care New England Health System– $400,000 settlement for the failure to update business associate agreements
Insufficient ePHI Access Controls
The HIPAA Security Rule requires covered entities and their business associates to limit access to ePHI to authorized individuals. The failure to implement appropriate ePHI access controls is also one of the most common HIPAA violations and one that has attracted several financial penalties.
Financial penalties issued to covered entities for ePHI access control failures include:
- Anthem Inc. – $16,000,000 penalty for access control failures and other serious HIPAA violations.
- Memorial Healthcare System – $5,500,000 penalty for insufficient ePHI access controls.
- Texas Department of Aging and Disability Services – $1,600,000 penalty for risk analysis failures, access control failures, and information system monitoring failures.
- University of California Los Angeles Health System – $865,500 penalty for the failure to restrict access to medical records.
- Pagosa Springs Medical Center – $111,400 penalty for the failure to terminate access to ePHI after an employee termination and a lack of a business associate agreement.
Failure to Use Encryption or an Equivalent Measure to Safeguard ePHI on Portable Devices
One of the most effective methods of preventing data breaches is to encrypt PHI. Breaches of encrypted PHI are not reportable security incidents unless the key to decrypt data is also accessed. Encryption is not mandatory under HIPAA Rules, but it cannot be ignored. If the decision is taken not to use encryption, an alternative, equivalent security measure must be used in its place.
Recent settlements for the failure to safeguard PHI include:
- Children’s Medical Center of Dallas – $3.2 million civil monetary penalty for failing to take action to address known risks, including the failure to use encryption on portable devices.
- Catholic Health Care Services of the Archdiocese of Philadelphia– $650,000 settlement for the failure to use encryption, the failure to conduct an enterprise-wide risk analysis, and to manage risks.
- Lifespan Health System Affiliated Covered Entity – $1,040,000 penalty for the failure to encrypt data and implement appropriate device and media controls, resulting in the impermissible disclosure of 20,431 patients’ ePHI
Exceeding the 60-Day Deadline for Issuing Breach Notifications
The HIPAA Breach Notification Rule requires covered entities to issue notifications of breaches without unnecessary delay, and certainly no later than 60 days following the discovery of a data breach. Exceeding that time frame is one of the most common HIPAA violations, which has seen several recent penalties issued:
- Oklahoma State University Center for Health Sciences – $875,000 settlement for delayed breach notifications to individuals and the HHS, and to resolve 5 other HIPAA violations.
- Presence Health – $475,000 settlement for delaying the issuing of breach notifications by a month.
- CoPilot Provider Support Services Inc. – $130,000 settlement with NY Attorney General for delayed breach notifications.
Impermissible Disclosures of Protected Health Information
Any disclosure of protected health information that is not permitted under the HIPAA Privacy Rule can attract a financial penalty. This violation category includes disclosing PHI to a patient’s employer for a purpose not permitted by the Privacy Rule, potential disclosures following the theft or loss of unencrypted laptop computers, careless handling of PHI, disclosing PHI unnecessarily, not adhering to the ‘minimum necessary’ standard, and disclosures of PHI after patient authorizations have expired.
Settlements for impermissible disclosures of PHI include:
- Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. – $50,000 civil monetary penalty for impermissible disclosures of PHI on social media websites
- Northcutt Dental-Fairhope – $62,500 settlement for unauthorized use of PHI for marketing, insufficient notice of privacy practices, and no HIPAA Privacy Officer
- New Vision Dental – $23,000 settlement for disclosing PHI in responses to patient reviews on the Yelp review platform
- Memorial Hermann Health System – $2.4 million settlement for disclosing a patient’s PHI in a press release.
- New York Presbyterian Hospital – $2,200,000 penalty for filming patients without consent.
- Massachusetts General Hospital– $515,000 penalty for filming patients without consent.
- Luke’s-Roosevelt Hospital Center – $387,000 settlement for careless handling of PHI/Disclosure of a patient’s HIV status to their employer.
- Brigham and Women’s Hospital– $384,000 penalty for filming patients without consent.
- Boston Medical Center – $100,000 penalty for filming patients without consent.
Improper Disposal of PHI
When physical PHI and ePHI are no longer required and retention periods have expired, HIPAA Rules require the information to be securely and permanently destroyed. For paper records this could involve shredding or pulping and for ePHI, degaussing, securely wiping, or destroying the electronic devices on which the ePHI is stored to prevent impermissible disclosures.
Financial penalties issued to covered entities for improper disposal of PHI/ePHI include:
- New England Dermatology and Laser Center – $300,640 penalty for disposing of empty specimen containers with regular trash, exposing the PHI of 58,106 individuals over 10 years.
- Parkview Health – $800,000 penalty for the failure to securely dispose of paper records containing PHI.
- Cornell Prescription Pharmacy – $125,000 penalty for the improper disposal of PHI.
- FileFax Inc. – $100,000 penalty for a defunct business over improper disposal of medical records.
Non-Financial HIPAA Violation Examples
HIPAA violations do not always result in financial penalties. Many violations of HIPAA investigated by OCR are resolved by guidance, technical assistance, and/or a corrective action plan depending on the nature of the violation and the harm caused, the covered entity’s previous history of violations, and their willingness to cooperate with an OCR investigation.
Because violations resolved by guidance, technical assistance, and/or a corrective action plan rarely attract headlines, some of the work done by OCR to promote compliance with HIPAA can be overlooked. However, as of March 2022, OCR has investigated and resolved 29,478 cases without issuing a financial penalty. Non-financial HIPAA violation examples include:
- A hospital was required to implement new minimum necessary policies for telephone messages after an employee left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan.
- A mental health center was required to correct its process for providing Notices of Privacy Practices prior to an intake assessment after the center failed to provide the father of a minor patient with an NPP prior to a mental health evaluation.
- A covered entity was required to withdraw a $100 “records review fee” charged to a patient for providing the patient with copies of his medical records. Under the Privacy Rule, covered entities are only allowed to charge a reasonable cost-based fee.
- A private practice was required to implement policies on the verbal communication of PHI after a staff member discussed HIV testing procedures with a patient in the practice´s waiting room – thereby disclosing PHI to others in the waiting room.
- A radiology practice was required to revise its processes for workers´ compensation disclosures after a patient´s imaging tests were sent to the patient´s employer to support a claim for which the employer´s program was not responsible for payment.
- A health plan was required to correct a flaw in its computer system, review transactions for a six-month period, and correct corrupted patient information after PHI was included in an explanation of benefits letter mailed to an unauthorized family member.
Examples of HIPAA Violations by Healthcare Employees
Snooping on healthcare records is a fairly obvious HIPAA violation and one that all healthcare employees who have received HIPAA training should know is a violation of their employer’s policies and HIPAA Rules.
Other examples of HIPAA violations often come about as a result of misunderstandings about HIPAA requirements. While each of these common HIPAA violations affect far fewer numbers of patients than the above violations, they can still cause a significant amount of harm to the patient(s) involved and their employer. They can also result in disciplinary action against the employee responsible – including termination.
Listed below are some of the common HIPAA violations committed by healthcare employees. These common HIPAA violations should be covered as part of the HIPAA training given to employees to raise awareness to these frequent areas of noncompliance.
Emailing ePHI to Personal Email Accounts and Removing PHI from a Healthcare Facility
It can be difficult to find the time to complete all the necessary tasks within working hours and it can be tempting to take work home to complete. Removing protected health information from a healthcare facility places that information at risk of exposure. This is a common employee HIPAA violation and may even be routine practice at a healthcare facility that is understaffed. That does not mean it is an acceptable practice.
The same applies to emailing ePHI to personal email accounts. Regardless of the intentions, whether it is to get help with spreadsheets, complete work at home to get ahead for the next day, or to catch up on a backlog, it is a violation of HIPAA Rules. Further, any emailing of ePHI to a personal email account could be considered theft – the repercussions of which could be far more severe than termination of an employment contract.
Leaving Portable Electronic Devices and Paperwork Unattended
The HIPAA Security Rule requires PHI and ePHI to be secured at all times. If paperwork is left unattended it could be viewed by an unauthorized individual, be that a member of staff, patient, or visitor to the healthcare facility. Were that to happen it would be considered an impermissible disclosure of PHI.
Electronic devices that contain ePHI must similarly be secured at all times. Electronic devices are portable and valuable. Opportunistic thieves could easily steal an unattended device and gain access to ePHI. There have been many cases of healthcare employees removing unencrypted devices from healthcare facilities, only for them to be stolen from vehicles or homes. Theft can also easily occur within a healthcare facility if devices are not secured. Healthcare employees must ensure that their employer’s policies are followed, and HIPAA Rules are not violated by leaving devices and paperwork unattended.
Releasing Patient Information to an Unauthorized Individual
An authorization form must be obtained from a patient before any of their PHI can be disclosed to a third party for a purpose other than one expressly permitted by the HIPAA Privacy Rule. Disclosing PHI for purposes other than treatment, payment for healthcare, or healthcare operations (and limited other cases) is a HIPAA violation if authorization has not been received from the patient in advance.
Healthcare employees must ensure that, prior to disclosing PHI to a third party, authorization has been obtained from the patient and information is not disclosed to any individual or company not included on the authorization form. Authorization forms are only valid if they have been signed by the patient or their nominated representative.
Releasing Patient Information Without Authorization
In a similar vein to the previous point, healthcare employees must also exercise caution about the types of information that are released to third parties, even if an authorization form has been received allowing a specific individual, company, or organization to receive PHI.
The authorization form should include what types of information have been authorized to be released. Any information not detailed on the authorization form must remain private and confidential and should not be shared. The disclosure of additional information would violate the HIPAA Privacy Rule.
Disclosures of PHI to Third Parties After the Expiry of an Authorization
All HIPAA authorization forms must include the names or classes of individuals who are being authorized to receive PHI, the types of PHI that will be disclosed, and the reasons for the disclosures. They must also include an expiry date for the authorization.
PHI must not be disclosed to any individual listed on the authorization form after the expiry date has passed, even if authorization has previously been given to that entity to receive PHI. A new authorization form is required before any further disclosure takes place. It should also be noted that an authorization form without an expiry date is not HIPAA compliant.
Impermissible Disclosures of Patient Health Records
The HIPAA Privacy Rule permits patients to obtain a copy of their health records on request or have their records provided to a nominated third party such as a personal representative or other individual. If not collected in person by the patient, the third party must have been given authorization by the patient – on a HIPAA authorization form – to receive the records before they can be released.
Prior to providing copies of patient health records, healthcare employees must verify the identity of the patient or the person collecting the records and must ensure records are only released to an individual authorized to receive them. Care must also be taken to ensure that the correct patient’s records are released.
Downloading PHI onto Unauthorized Devices
It can be difficult for healthcare IT departments to keep track of all devices that connect to the network, given how many different devices have network access. Ensuring those devices are secured can be an even bigger problem, yet this is a requirement for HIPAA compliance.
Employees need to be aware that there are privacy and security risks associated with downloading ePHI to unauthorized portable electronic devices. Not only does this increase the risk of an accidental disclosure of ePHI – in the event that the device is lost or stolen – it could also be viewed as theft and a HIPAA violation.
Providing Unauthorized Access to Medical Records
It is the responsibility of the covered entity to ensure that access to patient health information and medical records is only given to authorized individuals. This is achieved by implementing access controls via unique logins.
Employees have a responsibility to ensure that they do not give access to health information to co-workers who many not have the same access rights. The sharing of login credentials could not only result in an impermissible disclosure of ePHI, any actions taken by that employee would be attributed to the individual whose login credentials were used to gain access.
Actual Examples of HIPAA Violations by Employees
There are not very many examples of HIPAA violations by employees because most are dealt with internally according to the organization´s sanction policy. However, in a few cases, employees´ contracts are terminated and examples of HIPAA violations by employees are brought to the attention of the outside world. The following is a small selection of those we have reported on:
In May 2013, Dianna Hereford was terminated from her position of staff nurse at the Norton Audubon Hospital for improperly disclosing the condition of a patient with Hepatitis C. Hereford claimed she was wrongfully dismissed for an incidental disclosure; but her claim was dismissed by Jefferson Circuit Court and by Kentucky´s Court of Appeals when she appealed the decision.
In March 2017, an employee of New Jersey-based BioReference Laboratories was terminated from their position for failing to securely dispose of documents containing the PHI of 1,772 patients. Rather than following the company´s policy for disposing of PHI, which involved shredding the documents before disposing of them, the employee threw the documents into a dumpster.
Also in 2017, an employee of Lowell General Hospital in Massachusetts was fired for snooping on the healthcare records of 769 patients. As mentioned above, snooping on healthcare records is one of the most common HIPAA violations; but whereas it normally impacts patients who are known to the employee, this was an extreme example of a HIPAA violation by an employee.
Are Data Breaches HIPAA Violations?
Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare organizations are being targeted by cybercriminals and that it is not possible to implement impregnable security defenses.
Being HIPAA compliant is not about making sure that data breaches never happen. HIPAA compliance is about reducing risk to an appropriate and acceptable level. Just because an organization experiences a data breach, it does not mean the breach was the result of a HIPAA violation.
The OCR breach portal now reflects this more clearly. Many data breaches are investigated by OCR and are found not to involve any violations of HIPAA Rules. Consequently, the investigations are closed without any action being taken.
How are HIPAA Violations Discovered?
HIPAA violations can continue for many months, or even years, before they are discovered. The longer they are allowed to persist, the greater the penalty will be when they are eventually discovered. It is therefore important for HIPAA-covered entities to conduct regular HIPAA compliance reviews (this is required by the HIPAA law) to make sure HIPAA violations are discovered and corrected before they are identified by regulators.
There are three main ways that HIPAA violations are discovered:
- Investigations into a data breach by OCR (or state attorneys general)
- Investigations into complaints about covered entities and business associates
- HIPAA compliance audits
Even when a data breach does not involve a HIPAA violation, or a complaint proves to be unfounded, OCR may uncover unrelated HIPAA violations that could warrant a financial penalty.
What does it mean to “reduce risk to an appropriate and acceptable level”?
What reducing risk to an appropriate and acceptable level means is that, when potential risks and vulnerabilities are identified, Covered Entities and Business Associates have to decide what measures are reasonable to implement according to the size, complexity, and capabilities of the organization, the existing measures already in place, and the cost of implementing further measures in relation to the likelihood of a data breach and the scale of injury it could cause.
How is it possible to prevent employees snooping on healthcare records?
To prevent employees snooping on healthcare records, Covered Entities should implement a program of training, ensure access privileges comply with the Minimum Necessary Standard, activate audit logs, and enforce sanctions. It is also important that employees are made aware during HIPAA training that, although many cases of healthcare snooping are attributable to curiosity rather than malicious intent, all cases of healthcare snooping are HIPAA violations.
If encryption is not mandatory, how can it be a HIPAA violation if records are unencrypted?
Although encryption is not mandatory, it can be a HIPAA violation if records are unencrypted and no other measure that is equally as effective has been implemented. Encryption is an addressable implementation specification of the Security Rule. This means organizations can only avoid implementing the requirement if it is not reasonable and appropriate in the circumstances, or if an alternative security measure is equally as effective. If organizations fail to encrypt records, they have to document the reasons why.
Why was the fine for denying patients access to health records so high?
The fine for denying patients access to health records was so high in the event mentioned in the article because, in this particular case, the non-cooperation of the Covered Entity contributed to the size of the fine (you can read about the case here). Since this case, the CMS´ Meaningful Use program has evolved into the Promoting Interoperability program, and – in addition to being sanctioned for a HIPAA violation – any covered entity failing to provide health records in a timely manner could now also lose a percentage of their Medicare payments.
What are the consequences of accessing a patient chart without reason?
The consequences of accessing a patient chart without reason vary depending on the reason for the impermissible access and the organization´s sanctions policy. If it was an employee’s first violation and no harm was caused by the violation, it is likely the employee will receive a warning and have to undergo additional training. If the violation was a repeat offence, caused harm to the patient or organization, and was done with malicious intent, the likely consequences are termination of contract, a report to a licensing authority, and the possible involvement of law enforcement.
Are HIPAA violations common?
Nobody knows if HIPAA violations are common because, although HHS´ Office for Civil Rights publishes an “Enforcement Highlights” webpage, the statistics on this page only relate to reports and complaints received by the agency. HIPAA violations can also be reported to the Centers for Medicare and Medicaid (CMS), the Federal Trade Commission (FTC), State Attorneys General, the Covered Entity at which the HIPAA violation occurred, or not reported at all.
How do HIPAA violations affect patients?
HIPAA violations affect patients in different ways depending on the nature of the violation. If a hospital has failed to enter into a Business Associate Agreement with a company that provides data analysis services, the violation will not affect patients at all. Conversely, if a HIPAA violation results in the exposure of patients’ personal information, which is then used to conduct identity theft, this will significantly affect patients. Therefore, there is no one-size-fits-all answer to this question.
What are examples of HIPAA violations?
In addition to the examples of HIPAA violations listed above, Covered Entities can violate HIPAA by failing to comply with the Administrative Requirements of HIPAA. These include the Transaction, Code Sets, and Identifier Standards published by the Department of Health and Human Services; and although Covered Entities are not fined for violations of this nature, they can be excluded from the Medicare program by CMS – which will substantially affect their income.
What is considered a HIPAA violation by the Federal Trade Commission?
An event considered a HIPAA violation by the Federal Trade Commission (FTC) is a failure to comply with the Breach Notification Rule by an organization that has access to PHI, but which does not qualify as a Covered Entity or Business Associate – for example, vendors of Personal Health Records.
Organizations that are not Covered Entities or Business Associates do not have to comply with the Privacy or Security Rule, but they do have to comply with the Breach Notification Rule; and the failure to notify individuals and the FTC of a data breach is considered a HIPAA violation by the FTC – which has the authority to issue substantial fines for non-compliance.
What counts as a HIPAA violation by employees?
What counts as a HIPAA violation by employees is the failure to comply with employers’ HIPAA-related policies and procedures – provided employees have received adequate training on the policies and procedures. In such cases, the employee will be subject to the sanctions listed in their employer’s sanctions policy (verbal warning, written warning, suspension, termination, etc.).
Employees can also violate HIPAA by knowingly and wrongfully disclosing PHI. In such cases, employers are required to notify HHS´ Office for Civil Rights, who will refer the case to the Department of Justice. If there is evidence of criminal wrongdoing, the Department of Justice can pursue fines of up to $250,000 for HIPAA violations by employees and custodial sentences of up to ten years.
What constitutes a HIPAA violation by Business Associates?
What constitutes a HIPAA violation by Business Associates is the failure to comply with any parts of the Security Rule, the requirement to notify Covered Entities of any security incident (not only breaches of unsecured ePHI), or any other requirement stipulated in a Business Associate Agreement.
Generally, Business Associates are required to comply with all the Security Rule and several sections of the Breach Notification Rule. Additionally, depending on the service they provide for or on behalf of a Covered Entity – and the content of Business Associate Agreements – Business Associates may also be required to comply with parts of the Administrative Requirements and the Privacy Rule.
What are the 3 types of HIPAA violations?
There are many “3 types of HIPAA violations”. For example, there are criminal, civil, and accidental violations of HIPAA; Privacy Rule, Security Rule, and Breach Notification Rule violations of HIPAA; and violations of HIPAA reportable to the Centers for Medicare and Medicaid (CMS), HHS´ Office for Civil Rights, and the Federal Trade Commission.
Is it possible for there to be an intentional but acceptable HIPAA violation?
It is possible for there to be an intentional but acceptable HIPAA violation, but only when HHS’ Office for Civil Rights issues a Notice of Enforcement Discretion. These Notices allow Covered Entities to intentionally violate certain HIPAA provisions in certain circumstances for the period of time a Notice of Enforcement Discretion is in force.
It is important to be aware that disclosing PHI in an emergency situation to a Covered Entity with whom no treatment relationship exists is not an intentional but acceptable HIPAA violation. This scenario is permitted by §164.510 of the Privacy Rule provided that any PHI disclosed is limited and relevant to an individual´s care.
Who is responsible for most common HIPAA violations?
It is not known who is responsible for most common HIPAA violations because it is highly likely most common HIPAA violations are reported to the organization where the violation occurred and this information is not released into the public domain. Additionally, Business Associates are required to report “security incidents” to Covered Entities who then notify affected individuals and HHS’ Office for Civil Rights if the security incident constitutes a breach of unsecured PHI.
Why are there no examples of HIPAA violations by employers?
There are no examples of HIPAA violations by employers because employers are not Covered Entities under HIPAA. Even if a healthcare organization qualifies as a Covered Entity, it is not required to comply with HIPAA in its role as an employer – just in its role as a healthcare organization.
An exception to this explanation exists if an employer administers a self-sponsored health plan. However, because this is a rare scenario – and because employers in this situation are only subject to partial compliance – there are no examples of HIPAA violations by employers publicly reported.
What are the consequences of accessing a patient chart without reason?
The consequences of accessing a patient chart without reason depend on multiple factors. If the person who accessed the chart was a member of a Covered Entity’s workforce, if they did not have authorization to access the chart, and if they had received training on the Covered Entity’s policies, the event is a violation of the Covered Entity’s policies.
Therefore, the consequences of accessing a patient chart without reason depend on the content of the Covered Entity’s sanctions policy. This may mean the person is given a verbal warning and required to undergo refresher training; or, if the person has received previous verbal warnings, the consequences could be a written warning, final warning, or termination of contract.
What are HIPAA violations?
HIPAA violations are the failure to comply with the provisions and implementation specifications of the HIPAA Administrative Simplification provisions (45 CFR Parts 160,162, and 164). Most HIPAA violations are civil incidents committed by Covered Entities and Business Associates. It is rare that an individual violates HIPAA because individuals are most often members of a Covered Entity’s or Business Associate’s workforce and subject to their employer’s policies.
Are all violations of HIPAA resolved by financial penalties?
Very few violations of HIPAA are resolved by financial penalties. In most cases, violations of HIPAA are resolved by voluntary compliance, technical assistance, or corrective action plans. However, these “secondary” resolutions also have a financial cost in terms of revising policies and procedures, implementing safeguards, retraining members of the workforce, and other business disruptions.
Are lost medical records a HIPAA violation?
Lost medical records are a HIPAA violation – even if the records are subsequently found – because there has been a failure to ensure the availability of PHI when the records were lost. Additionally, while the medical records were lost, they may have been viewed or altered by an unauthorized person, so there has also been a failure to ensure the confidentiality and integrity of PHI.
What is considered a HIPAA violation punishable by a custodial sentence?
A HIPAA violation punishable by a custodial sentence is considered to be when a person knowingly and wrongfully obtains or discloses individually identifiable health information without authorization. Depending on the motive and whether the act was committed under false pretenses, the person can be fined up to $250,000 and given a custodial sentence of up to ten years.
Who can violate HIPAA?
Who can violate HIPAA is limited to Covered Entities, Business Associates, and members of their workforces. If an organization is not a Covered Entity or Business Associate, or an individual is not a member of either’s workforce, it is not possible to violate HIPAA because HIPAA will not apply to the organization/individual.
What is a HIPAA violation of the Breach Notification Rule?
A HIPAA violation of the Breach Notification Rule is the failure to comply with any provision of 45 CFR 164 Subpart D when Protected Health Information has been acquired, accessed, used, or disclosed in a manner not permitted by the Privacy Rule, and the impermissible acquisition, access, use, or disclosure compromises the security or privacy of the Protected Health Information.
Is it a HIPAA violation to say someone is in the hospital?
It can be a HIPAA violation to say someone is in the hospital, but only in a limited number of circumstances. For example, the person making the statement must be a member of a Covered Entity’s workforce, the statement must be made to somebody with whom there is no direct treatment or familial relationship, and when the subject of the statement has not been given an opportunity to object to the statement being made.
Is inappropriate access to medical records a HIPAA violation example or a HIPAA breach example?
Inappropriate access to medical records is certainly a HIPAA violation example regardless of who the individual accessing the medical records is. Whether or not it constitutes a HIPAA breach example depends on whether the inappropriate access compromises the security or privacy of the Protected Health Information maintained in the medical records.
Is there a list of HIPAA violations?
There is no list of HIPAA violations because many HIPAA violations are reported to the organization at which they occurred, and they never become public knowledge. What you can find a list of is a list of HIPAA data breaches affecting more than 500 individuals that have been reported to HHS’ Office for Civil Rights. This list can be found on the HHS’ Breach Report web page.
Can you sue someone for disclosing medical information?
You cannot sue someone for disclosing medical information under HIPAA because HIPAA has no private right of action. However, if you believe someone has disclosed your medical information – and because of the disclosure you have suffered harm – you may be able to file a civil action under a state law. Because some states have privacy and security laws that include a private right or action and others don´t, it is best to seek legal advice from a local attorney.
How can I find out who has accessed my medical records?
You can find out who has accessed your medical records by requesting an Accounting of Disclosures from your healthcare provider. The healthcare provider has to reply to your request within 30 days and provide you with a list of every time you’re your medical records have been accessed for uses other than those permitted by the Privacy Rule (i.e., treatments, payments, etc.).
Who can access my medical records without my permission?
Your medical records can be accessed without your permission by any member of a Covered Entity’s or Business Associate’s workforce provided they have the authority to access your records and the reason why they are accessing your medical records is permitted by the Privacy Rule. If your medical records are accessed by somebody without the authority to do so, or for a reason not permitted by the Privacy Rule, this would be a violation of HIPAA.
Can a family member violate HIPAA?
A family member can violate HIPAA if, for example, they are also your dentist and they disclose your health information impermissibly. However, if the family member is not a member of the medical profession – or a member of a Covered Entity´s or Business Associate’s workforce – it is not possible for them to violate HIPAA because only Covered Entities, Business Associates, and members of their workforces are required to comply with HIPAA.