HIPAA violation cases are very common, despite increased enforcement efforts. While we often speak about how to avoid violating HIPAA and the need to introduce HIPAA compliant procedures and behaviors among employees, it is important to be aware of the consequences that can follow HIPAA violations. Generally, HIPAA violation cases are investigated and pursued by the Department of Health and Human Services’ Office or Civil Rights (OCR). These investigations can arise following reports of violations submitted by employees or patients, or as a result of data breaches being advised to OCR. In some cases, state attorneys general or even the Department of Justice may conduct their own investigations.
Recent years have seen an increase in the number of HIPAA violation cases that have led to monetary penalties. Many of these have been in the form of settlements. As of the end of January 2018, the Department of Health and Human Services had received over 173,000 complaints of HIPAA violations. Almost 170,000 of these cases have been resolved by the OCR. While only 53 cases have resulted in fines or settlements, as opposed to over 25,000 that were resolved through corrective action or technical assistance, the total amount of money healthcare organizations have paid out totals over $75 million, or an average of around $1.5 million per financial resolution.
As the OCR investigates all manner of organizations, from national chains to private clinics, such a penalty could have a serious impact or even completely close a business.
Most Common Issues
The most frequent reported violations OCR investigates are:
- Impermissible uses and disclosures of protected health information
- Lack of safeguards of protected health information
- Lack of patient access to their protected health information;
- Lack of administrative safeguards of electronic protected health information
- Use or disclosure of more than the minimum necessary protected health information
Recent Violation Cases
Some recent violations highlighted on the OCR website include a defunct company’s receiver having to pay a settlement, a medical services company paying millions following breaches, and a breach of a single patient’s PHI leading to a settlement of almost $400,000.
Filefax, a company that stored, maintained, and delivered medical records for HIPAA covered entities, was closed down at the same time as an OCR investigation was underway. A receiver was appointed to liquidate the assets. The OCR’s investigation concluded that PHI had been carelessly handled by it having been left in an unlocked vehicle, it having been transported by unauthorized individuals, and it having been left unsecured outside of a Filefax facility. These offenses constitute impermissible disclosures and affected 2,150 people.
Due to these actions, even though the company was no longer in operation, the receiver of the company has agreed to pay a $100,000 settlement and has undertaken to dispose of PHI that still exists at the Filefax facility in a HIPAA compliant manner.
Fresenius Medical Care North America (FMCNA), who run a network of dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, have agreed to pay a settlement of $3.5 million following breaches at five of its facilities. During investigation by the OCR, it was found that FMCNA “failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI” and that they “impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule”.
FMCNA must implement a corrective action plan to remedy the many problems as well as paying the monetary settlement. Both the FMCNA and Filefax settlements were announced in February 2018 and the amounts can be added on to the $75 million in monetary penalties mentioned above.
St. Luke’s-Roosevelt Hospital Center Inc. received a strong reminder of the importance of correctly transmitting PHI following a breach that affected a single individual. The OCR ruled that one of St. Luke’s entities had “impermissibly faxed the patient’s PHI to his employer rather than sending it to the requested personal post office box”. The records sent contained “sensitive information concerning HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse”. The investigation also found that a related breach had previously occurred but the issue had not been adequately addressed by the compliance program aimed at preventing such impermissible disclosures. St. Luke’s settled the case for $387,200.
Common HIPAA Violations
Here we have included ten of the most often witnessed HIPAA violations:
- Illegally Sharing Protected Health Information: Sharing PHI that is not permitted under the HIPAA Privacy Rule will result in a HIPAA fine if it is ever discovered.
- Healthcare Record Snooping: Snooping on healthcare records of family, friends, neighbors, co-workers, and celebrities is one of the most common HIPAA violations committed by employees. If a healthcare worker accesses a patient’s PHI for reasons other than those allowed as per the Privacy Rule it is classified as a HIPAA violation.
- No Group-Wide Risk Analysis Completed: Risks will remain unaddressed, leaving the door wide open to hackers, unless an organization-wide risk analysis is completed, as per HIPAA regulations. Not doing this is one of the most common HIPAA violations and leads to a fine.
- No Risk Management Process in Place: Risks must be listed and then put through a risk management process. Once identified these risks must be prioritized and mitigated in a reasonable time frame. It will be deemed a HIPAA violation if a group is aware of a risk and still fails to address it.
- Issuing Breach Notifications Beyond the 60-day Limit: Sending notifications of breaches later than 60 days after a breach has been identified is not in line with the HIPAA Breach Notification Rule and considered a violation of HIPAA.
- Not Completing Patients Access Requests within the Time Limits: Once a request is submitted, patients must be given copies of their health records in 30 days or less. It is also a HIPAA violation to overcharge for copies.
- No Completed HIPAA-Compliant Business Associate Agreement: It is a violation if there is no HIPAA-compliant business associate agreement completed with all partners accessing PHI.
- Proper ePHI Access Controls: The failure to implement appropriate ePHI access controls is one of the most common HIPAA violations and is a breach of the HIPAA Security Rule.
- Portable Devices Storing PHI with no Encryption or an Equivalent Measure Enabled: Encryption is not mandatory under HIPAA Rules. However, if the decision is taken not to implement it then a different, equivalent, security measure must be implemented in its stead. Failing to do so is considered a HIPAA violation.
- Not Disposing of PHI Legally: HIPAA Rules require PHI to be safely and permanently destroyed it is no longer required and the retention period has come to an end.
The Importance of Compliance
As can be seen from these three recent cases, HIPAA violations have real impacts for covered entities as well as for individuals. Simple mistakes, such as faxing PHI instead of sending it by letter, can have dire consequences. On a larger scale, failing to design and implement the correct procedures can impact an entire network of healthcare facilities and its patients. Even disposing of PHI must be done correctly – the Filefax case revolved around PHI being transported and left at a shredding and recycling facility.
Risk assessments, training, and awareness of HIPAA Rules must all be high and recurring priorities for HIPAA covered entities. If not, they risk finding out the hard way what OCR Director Roger Severino stated following the Filefax case: OCR is committed to enforcing HIPAA. Follow this link for a full HIPAA guide.