A HIPAA violation refers to any unauthorized use, disclosure, or breach of protected health information (PHI) that violates the privacy and security provisions outlined in the Health Insurance Portability and Accountability Act (HIPAA), compromising the confidentiality, integrity, or availability of individuals’ sensitive healthcare information. HIPAA is a piece of legislation that is largely enforced by the United States’ Department of Health and Human Services’ Office for Civil Rights, but what type of incidents do they investigate and what is a HIPAA violation? HIPAA compliance has evolved over the years due to amendments and additions to the original Act, and the introduction of further legislation governing the healthcare industry. HIPAA violations can take many forms and may be a result of organizational procedures, individual mistakes, or more malicious activities. In this article, we will examine and try to explain what a HIPAA violation is, who is responsible, and what consequences can follow a violation.
What is a HIPAA Violation?
Put simply, a HIPAA violation is an act or an occurrence that goes against the required standards or practices set forth in the text of the Act. Included in this definition are events or behaviors that violate the HIPAA Security Rule, the HIPAA Privacy Rule, the HIPAA Breach Notification Rule, or the HIPAA Final Omnibus Rule.
While the full text of all HIPAA regulations is well over a hundred pages long and there are many potential things that could constitute a HIPAA violation, a number of these are seen again and again. The most common HIPAA violations include:
- Impermissible disclosures of PHI
- Unauthorized accessing of PHI
- Improper disposal of PHI
- Failure to conduct a risk analysis
- Failure to manage risks to the confidentiality, integrity, and availability of PHI
- Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
- Failure to maintain and monitor PHI access logs
- Failure to enter into a HIPAA-compliant business associate agreement with vendors prior to giving access to PHI
- Failure to provide patients with copies of their PHI on request
- Failure to implement access controls to limit who can view PHI
- Failure to terminate access rights to PHI when access is no longer necessary
- The disclosure of more PHI than is necessary for a particular task to be performed – breach of the Minimum Necessary Standard
- Failure to train employees on HIPAA Rules or the failure to provide security awareness training
- Theft of patient records
- Unauthorized release of PHI to individuals not authorized to receive the information
- Sharing of PHI online or via social media without permission
- Mishandling and incorrect sending of PHI
- Texting PHI
- Failure to encrypt PHI or use an alternative, equivalent measure to prevent unauthorized access/disclosure
- Failure to notify an individual (or the Office for Civil Rights) of a security incident involving PHI within 60 days of the discovery of a breach
- Failure to document compliance efforts
In recent years, the Office for Civil Rights (OCR) has issued guidance for specific events to help Covered Entities and Business Associates determine whether a HIPAA violation has occurred. For example, in May 2017, OCR provided guidance on reporting ransomware attacks.
Types of HIPAA Violations
One common type of HIPAA violation is the unauthorized use or disclosure of PHI. This occurs when individuals access or share PHI without proper authorization. Examples of unauthorized access to PHI include healthcare employees accessing patient records without a legitimate reason or individuals accessing PHI for personal gain. Improper disclosure of PHI can happen when healthcare professionals share patient information with unauthorized individuals or entities, such as disclosing PHI on social media platforms or in public forums.
Another significant HIPAA violation is the failure to implement appropriate safeguards to protect PHI. HIPAA requires covered entities to establish administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of PHI. Lack of administrative safeguards can involve the absence of written policies and procedures, inadequate training for employees, or failure to conduct risk assessments. Insufficient physical safeguards may include inadequate security measures to protect physical records, such as lack of locked cabinets or unauthorized access to storage areas. Inadequate technical safeguards can encompass issues like weak passwords, lack of encryption for electronic communications, or failure to install necessary security updates.
Maintaining patient confidentiality is a fundamental principle of healthcare, and a breach of patient confidentiality is a significant HIPAA violation. This violation can occur in various ways, such as the mishandling of patient records. It may involve leaving patient records unattended, improperly disposing of paper records, or failing to secure electronic systems. Unauthorized sharing of patient information is another breach of confidentiality, where healthcare professionals disclose patient information to unauthorized individuals or entities without proper consent or legal justification.
HIPAA requires covered entities to promptly notify individuals affected by a breach of their PHI. Failure to comply with breach notification requirements is a serious violation. The requirements for breach notification include notifying affected individuals without unreasonable delay, providing specific information about the breach, and offering guidance on how individuals can protect themselves. Consequences of failing to notify individuals of a breach can lead to further harm to individuals affected, loss of trust, and potential legal action.
Who is Responsible for HIPAA Violations?
While final responsibility for a HIPAA violation is often determined by the OCR, HIPAA covered entities often realize violations have occurred when performing internal audits. Action can be taken internally to correct these violations, and they need to be reported to the OCR within a certain time period depending on the scale of the violation. State attorneys general and the OCR have the power to investigate breaches or violations that are reported to them by healthcare employees, patients, or other individuals. Larger scale breaches are also examined by the OCR.
While organizations may be found liable for violating HIPAA through lack of appropriate safeguards, training, or procedures, individuals such as nurses or administrative employees may be deemed responsible for other types of violations where PHI is inappropriately shared or disclosed. Criminal violations of HIPAA, where there is malicious intent behind the violation, may be investigated by the United States’ Department of Justice, who may find individuals or covered entities responsible.
What are the Consequences of HIPAA Violations?
HIPAA violations can lead to hefty financial sanctions and even custodial sentences. Penalties are normally based on a scale of the severity of the incident and the perceived degree of negligence shown by the responsible entity or person. There are four penalty tiers, with penalties escalating with the scale of the violation and the negligence of the responsible party.
To give some examples, a tier one breach may occur if a very sophisticated hack was able to by-pass HIPAA compliant security measures. It is not likely to carry a heavy penalty as there is little more that could reasonably be done to avoid the violation. The organization may be unaware of the violation and could not have known about it despite exercising due diligence.
On the other hand, a disgruntled employee actively copying or recording PHI with the intention of committing healthcare fraud could face very severe consequences, as this is a willful, malicious, and continuous violation. It could be an example of a tier three or tier four violation; willful neglect of HIPAA Rules with or without an effort to correct the violation within 30 days of discovery.
As noted above, sanctions depend on the determination of severity and negligence. State attorneys general may impose financial penalties of up to $25,000 per violation category per year. The OCR itself is authorized to issue fines of up to $1.5 million per violation category per year. Individuals can face custodial sentences of up to 10 years.