HIPAA violation cases remain very common, despite increased awareness of HIPAA compliance, enforcement actions by the Office for Civil Rights (OCR), and the ever-improving availability of cybersecurity solutions. What is most alarming about the number of HIPAA violation cases is that the majority of cases are avoidable.
In 2019, Gartner forecast that “through 2025, 99% of cloud security failures will be the customer´s fault”. In 2020, Verizon´s Data Breach Investigations Report revealed more than 80% of data breaches attributable to hacking can be traced back to successful brute force attacks against weak passwords and the theft of log-in credentials via phishing emails. Yet by mid June 2021, over 1 in 20 U.S. adults were the victims of a healthcare breach.
What these statistics show is that the training provided by many HIPAA covered entities and business associates is not effective. Employees are continuing to make mistakes that expose protected health information through carelessness or, in some cases, unknowingly because they are unaware that they are violating provisions of the HIPAA Rules. The risk of employees violating HIPAA can be reduced by providing effective training and one of the most important ways to reduce accidental HIPAA violations is to improve awareness of the most common HIPAA violations.
Common HIPAA Violations
Here we have listed ten of the most witnessed HIPAA violations, all of which have been discovered by regulators and have resulted in financial penalties for the covered entity. In some cases, the violations were so severe they were referred to the Department of Justice and have resulted in criminal charges and jail time for healthcare employees.
- Illegally sharing Protected Health Information: Sharing PHI for purposes not permitted under the HIPAA Privacy Rule without first obtaining authorization from a patient.
- Healthcare record snooping: Snooping on the healthcare records of family, friends, neighbors, co-workers, and celebrities is one of the most common HIPAA violations committed by employees.
- No comprehensive risk analysis conducted: If a comprehensive, organization-wide risk analysis is not conducted, risks to PHI will undoubtedly remain unaddressed and could easily result in a data breach or privacy violation. This is one of the most commonly cited HIPAA violations in enforcement actions by the HHS’ Office for Civil Rights.
- No risk management process in place: Once identified through the risk analysis, risks must be analyzed, prioritized, and mitigated within a reasonable time frame.
- Issuing breach notifications beyond the 60-day limit: Breach notifications must be sent as soon as possible after a breach of PHI is discovered, but no later than 60 days from the discovery of the breach.
- Not providing patients with timely access to their medical records: Once a request is received, patients must be given access to their health records in 30 days or less.
- No HIPAA-compliant business associate agreement: All vendors whose products or services involve access to PHI must enter into a business associate agreement that explains their rights and responsibilities with respect to HIPAA and PHI.
- No encryption or equivalent protections for portable devices storing PHI: Encryption is not mandatory under the HIPAA Rules; however, if the decision is taken not to implement encryption, then a different, equivalent security measure must be implemented in its place.
- Not disposing of PHI correctly: The HIPAA Rules require PHI to be securely and permanently destroyed when it is no longer required and the minimum retention period has come to an end.
- Proper ePHI access controls: The failure to implement appropriate access controls to prevent unauthorized access to PHI is one of the most common violations the HIPAA Security Rule.
These common HIPAA violations can be avoided by ensuring an effective HIPAA compliance program is in place and employees are provided with regular HIPAA and security awareness training. It is not possible to prevent all data breaches and HIPAA violations by employees, but it is possible to reduce risk to a low and acceptable level. OCR will consider the efforts covered entities have put into compliance in HIPAA violation cases and penalties will likely reflect covered entities efforts to prevent data breaches and mitigate their impact.
HIPAA Financial Penalties
HIPAA violation cases are initiated by OCR and state Attorneys General. These investigations often start with complaints from individuals whose privacy has been violated or when their rights under HIPAA have been denied. OCR also investigates data breaches reported under the Breach Notification Rule to determine if they were the result of HIPAA violations. HIPAA violations may also be discovered during compliance reviews and HIPAA audits.
There has been a surge in HIPAA violation cases in the last few years that have resulted in financial penalties. Financial penalties are imposed when there have been serious violations of the HIPAA Rules. In many cases, this is due to negligence by the HIPAA covered entity and there has been little or no effort to comply with the HIPAA Rules.
OCR has increased the number of penalties imposed for violations of single provisions of the HIPAA Rules. For instance, between September 2019 and May 2021, 19 financial penalties have been imposed for violations of the HIPAA Right of Access. Most of those financial penalties have been imposed on small and mid-sized healthcare providers and the cases have started with a complaint from a single patient who has not been provided with timely access to their medical records.
Some of the recent HIPAA violation cases where penalties have been imposed are listed below. These HIPAA violation cases, and many others, could have easily been avoided by implementing an effective compliance program and by training all employees on their responsibilities under HIPAA:
- New York Presbyterian Hospital settled a HIPAA breach case for $2.2m involving patients being filmed without authorization.
- Luke’s-Roosevelt Hospital Center settled a HIPAA violation case for $387,000 that involved careless handling of PHI – Unauthorized sharing of a patient’s HIV status with their employer.
- Memorial Hermann Health System agreed to a $2.4m HIPAA settlement for impermissibly sharing a patient’s PHI in a press release.
- Massachusetts General Hospital and Brigham and Women’s Hospital were fined $515,000 and $384,000 respectively for filming patients without consent.
- Parkview Health paid a HIPAA penalty of $800,000 for not securely disposing of paper records containing PHI.
- Sharpe Healthcare was fined $70,000 for failing to provide a patient with a copy of the requested medical records within 30 days.
- The City of New Haven, CT, was fined $202,400 for HIPAA failures including the lack of a risk analysis, a failure to terminate access rights to PHI, and not issuing unique IDs to all employees to allow system activity to be tracked.
Why HIPAA Training is Important for Compliance
As can be seen from these recent cases, HIPAA violations have a major impact on covered entities and the impacted individuals. Even small mistakes by healthcare workers can have major consequences. Identifying and implementing the best possible HIPAA training course will help to address these risks. In the unfortunate event of a HIPAA breach still occurring, OCR will recognize that adequate efforts were made to train employees on their responsibilities under HIPAA.
HIPAA training should have the highest priority for all covered entities that wish to treat HIPAA seriously and avoid the financial and reputational damage that can result from HIPAA violations.