
Who Enforces HIPAA + How To Make Sure Your Business Is Compliant
Read articleAccording to HIPAA Journal, nearly 20.2 million health care records were breached in the first half of 2022 alone.
To reduce the number of breached records and safeguard protected health information (PHI), it’s paramount that you implement HIPAA regulations. HIPAA violations can not only damage your reputation and patient trust — they can also result in expensive fines that hurt your bottom line.
We’ll walk you through common HIPAA violations and the penalties for violations. We’ll also walk through cases that prove how important it is for organizations to achieve and maintain HIPAA compliance.
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to simplify health care administration, prevent fraud, and protect patients’ private medical information.
The US Department of Health and Human Services (HHS) issued rules to help organizations meet the requirements of this framework. These rules are defined below.
All covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates must comply with HIPAA regulations, including the five rules above.
Failure to comply with any of the provisions of these rules is a HIPAA violation. In practice, a HIPAA violation is as simple as an employee leaving a client’s medical file on their computer screen while they step away for a cup of coffee.
Here are some of the most common HIPAA violations and how to avoid them:
1. Looking at health care records without permission or authorization:
Make sure that patient health records are only accessed for treatment, payment, or health care operations purposes.
2. Not performing an organization-wide risk analysis:
Conduct regular HIPAA risk assessments to find where PHI is vulnerable.
3. Failure to address security risks:
Prioritize addressing any risks that are identified during audits.
4. Denying patients access to their health records:
Provide people with access to their medical records upon request and without delay.
5. Failure to enter into a HIPAA-Compliant Business Associate Agreement:
Ensure any third-party vendors with access to PHI also maintain HIPAA compliance.
6. Insufficient ePHI access control measures:
Make sure that authorized individuals are the only people who can access electronic protected health information (ePHI).
7. Failing to use encryption or equivalent security to safeguard ePHI:
Encryption is not mandatory under HIPAA, but equal security measures must protect ePHI.
8. Exceeding the 60-day deadline for breach notifications:
If your organization discovers a data breach, you must notify the affected individuals in writing within 60 days.
9. Unauthorized PHI disclosures:
Patients must authorize any sharing of their PHI.
10. Improperly disposing of PHI:
You must securely and permanently destroy PHI when it’s no longer needed.
11. Downloading PHI onto unauthorized devices:
Employees must only use authorized devices that are connected to the network and secure to access PHI.
12. Sending ePHI to a personal email account:
Make sure that employees are not sending ePHI to their personal email accounts or otherwise removing ePHI from the healthcare facility.
13. Leaving paperwork or devices unattended:
Paperwork and electronic devices containing ePHI must be secured at all times to avoid impermissible disclosures of PHI.
14. Disclosing PHI after the expiry date of an authorization:
If the expiry date of a HIPAA authorization form has passed, you must get a new form to disclose PHI to any individual listed on the original form.
HIPAA violations are often discovered through self-reporting or third-party investigations.
HIPAA-covered organizations conduct internal audits and report any violations they uncover. Employees also self-report HIPAA violations they or their coworkers commit.
The Department of Health and Human Services Office for Civil Rights (OCR) investigates HIPAA complaints. The OCR also conducts periodic audits of HIPAA-covered entities and their business affiliates. When data breaches occur, OCR investigates cases involving 500 or more records.
State attorneys general may also look into complaints about potential violations.
Who Enforces HIPAA + How To Make Sure Your Business Is Compliant
Read articleThere are two types of HIPAA violations, civil and criminal. The penalties can include fines, corrective action plans, or even jail time.
The OCR issues penalties for HIPAA violations. These range in severity based on the nature of the offense and the knowledge the offender had of the violation. HIPAA violations can involve one single person’s PHI.
While less common, state attorneys general can also penalize HIPAA-covered entities.
Civil penalties are usually issued in cases where the offender was unaware they were committing a HIPAA violation.
The penalties range from:
Criminal penalties are usually issued in cases where individuals knowingly obtain or use PHI without permission.
Criminal HIPAA violations and penalties fall under three tiers:
In recent years, there have been several newsworthy examples of HIPAA violations. Even in instances of unintentional HIPAA violations, the consequences can be severe. Here are five disastrous HIPAA violation cases and the lessons we can learn from each.
In 2020, the OCR investigated a health insurance provider after hackers obtained the PHI of nearly 10.5 million individuals.
The hackers gained access to the provider’s computer system with a phishing email that installed malware. The malware gave the group access to ePHI, which remained undetected for 9 months.
OCR’s investigation uncovered “systemic noncompliance” with the HIPAA Rules. According to OCR, the organization failed to:
The OCR fined the company $6.85 million for violating the HIPAA Security Rule. The company also settled a multi-state lawsuit for $10 million and a class action lawsuit for $74 million.
Lessons to learn:
In 2018, the FBI discovered that one of the servers of a Tennessee-based medical imaging services company was accessible on the internet. Anyone could access and view the PHI of over 300,000 individuals with a simple search.
The company did not notify the affected individuals until 147 days after the discovery.
Due to violation of Breach Notification Rules, the company was ordered to pay $3 million in penalties and adopt a corrective action plan.
Lessons to learn:
In 2017, a city reported a data breach after a terminated employee used their login credentials to access a work computer and copy ePHI data onto a USB drive.
OCR determined that the city had failed to protect HIPAA privacy in several ways. The city had not deactivated the former employee’s login credentials at the time of their termination. Employees also were not given unique login credentials to identify their system activity and interactions with ePHI.
The organization also failed to perform a risk assessment to identify the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
As a result of these failures, the city paid over $200,000 in financial penalties and agreed to a corrective action plan.
Lessons to learn:
In 2015, a health system issued a press release in response to a police incident involving a patient. In the press release, the hospital system included the patient’s name.
The OCR determined this was an intentional failure to protect the patient’s rights to privacy. As a result, the OCR ordered the health system to pay a $2.4 million fine.
Lessons to learn:
In 2015, the OCR opened an investigation into a nonprofit academic health system after a reporter shared a photograph on social media that included a patient's medical information.
The investigation uncovered multiple HIPAA violations over several years, including:
The OCR fined the hospital system $2.15 million for its failure to detect the theft and sale of patient records, failure to notify OCR of lost patient records, and failure to protect PHI that was leaked to the media.
Lessons to learn:
HIPAA violations are often due to carelessness or ignorance of HIPAA laws. Employers can avoid a lot of potential headaches by providing adequate HIPAA training for their employees.
For any employees who handle PHI, a few other simple ways to avoid HIPAA violations include:
Encryption is not mandatory, but organizations that do not implement encryption must document the reasons why. One reason may be that they’ve implemented another security measure that’s equally as effective at protecting ePHI when being stored and transmitted.
That depends on the violation. If a HIPAA violation results in the exposure of millions of PHI records, this could significantly affect patients. They may lose trust in your healthcare facility and go elsewhere, or they may experience identity theft as a result of the data exposure.
Your compliance strategy should start with a thorough self-audit. This will help you identify any areas where your organization could be vulnerable to HIPAA non-compliance.
Failing to address any issues you discover is a HIPAA violation. Your next step should be putting together a comprehensive remediation plan. This plan should be documented and include a timeline for addressing compliance gaps.
HIPAA non-compliance isn’t an option for organizations that handle protected health information. Still, it’s not easy keeping up with evolving technology and regulatory changes.
Secureframe makes it quick and easy to achieve HIPAA compliance by simplifying the process into a few key steps.
With one platform you can make sure you’re not subject to HIPAA violation by:
Secureframe will enable you to focus on growing your business. Get in touch to learn how you can automate your HIPAA compliance today.