The Health Insurance Portability and Accountability Act – or HIPAA – is a piece of legislation that is largely enforced by the United States’ Department of Health and Human Services’ Office for Civil Rights, but what type of incidents do they investigate and what is a HIPAA violation? HIPAA compliance has evolved over the years due to amendments and additions to the original Act, and the introduction of further legislation governing the healthcare industry. HIPAA violations can take many forms and may be a result of organizational procedures, individual mistakes, or more malicious activities. In this article, we will examine and try to explain what a HIPAA violation is, who is responsible, and what consequences can follow a violation.
What is a HIPAA Violation?
Put simply, a HIPAA violation is an act or an occurrence that goes against the required standards or practices set forth in the text of the Act. Included in this definition are events or behaviors that violate the HIPAA Security Rule, the HIPAA Privacy Rule, the HIPAA Breach Notification Rule, or the HIPAA Final Omnibus Rule.
While the full text of all HIPAA regulations is well over a hundred pages long and there are many potential things that could constitute a HIPAA violation, a number of these are seen again and again. The most common HIPAA violations include:
- Impermissible disclosures of protected health information (PHI)
- Unauthorized accessing of PHI
- Improper disposal of PHI
- Failure to conduct a risk analysis
- Failure to manage risks to the confidentiality, integrity, and availability of PHI
- Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
- Failure to maintain and monitor PHI access logs
- Failure to enter into a HIPAA-compliant business associate agreement with vendors prior to giving access to PHI
- Failure to provide patients with copies of their PHI on request
- Failure to implement access controls to limit who can view PHI
- Failure to terminate access rights to PHI when access is no longer necessary
- The disclosure of more PHI than is necessary for a particular task to be performed – breach of the Minimum Necessary Standard
- Failure to train employees on HIPAA Rules or the failure to provide security awareness training
- Theft of patient records
- Unauthorized release of PHI to individuals not authorized to receive the information
- Sharing of PHI online or via social media without permission
- Mishandling and incorrect sending of PHI
- Texting PHI
- Failure to encrypt PHI or use an alternative, equivalent measure to prevent unauthorized access/disclosure
- Failure to notify an individual (or the Office for Civil Rights) of a security incident involving PHI within 60 days of the discovery of a breach
- Failure to document compliance efforts
In recent years, the Office for Civil Rights (OCR) has issued guidance for specific events to help Covered Entities and Business Associates determine whether a HIPAA violation has occurred. For example, in May 2017, OCR provided guidance on reporting ransomware attacks.
Who is Responsible for HIPAA Violations?
While final responsibility for a HIPAA violation is often determined by the OCR, HIPAA covered entities often realize violations have occurred when performing internal audits. Action can be taken internally to correct these violations, and they need to be reported to the OCR within a certain time period depending on the scale of the violation. State attorneys general and the OCR have the power to investigate breaches or violations that are reported to them by healthcare employees, patients, or other individuals. Larger scale breaches are also examined by the OCR.
While organizations may be found liable for violating HIPAA through lack of appropriate safeguards, training, or procedures, individuals such as nurses or administrative employees may be deemed responsible for other types of violations where PHI is inappropriately shared or disclosed. Criminal violations of HIPAA, where there is malicious intent behind the violation, may be investigated by the United States’ Department of Justice, who may find individuals or covered entities responsible.
What are the Consequences of HIPAA Violations?
HIPAA violations can lead to hefty financial sanctions and even custodial sentences. Penalties are normally based on a scale of the severity of the incident and the perceived degree of negligence shown by the responsible entity or person. There are four penalty tiers, with penalties escalating with the scale of the violation and the negligence of the responsible party.
To give some examples, a tier one breach may occur if a very sophisticated hack was able to by-pass HIPAA compliant security measures. It is not likely to carry a heavy penalty as there is little more that could reasonably be done to avoid the violation. The organization may be unaware of the violation and could not have known about it despite exercising due diligence.
On the other hand, a disgruntled employee actively copying or recording PHI with the intention of committing healthcare fraud could face very severe consequences, as this is a willful, malicious, and continuous violation. It could be an example of a tier three or tier four violation; willful neglect of HIPAA Rules with or without an effort to correct the violation within 30 days of discovery.
As noted above, sanctions depend on the determination of severity and negligence. State attorneys general may impose financial penalties of up to $25,000 per violation category per year. The OCR itself is authorized to issue fines of up to $1.5 million per violation category per year. Individuals can face custodial sentences of up to 10 years.