According to HIPAA Journal, nearly 20.2 million health care records were breached in the first half of 2022 alone.
To reduce the number of breached records and safeguard protected health information (PHI), it’s paramount that you implement HIPAA regulations. HIPAA violations can not only damage your reputation and patient trust — they can also result in expensive fines that hurt your bottom line.
We’ll walk you through common HIPAA violations and the penalties for violations. We’ll also walk through cases that prove how important it is for organizations to achieve and maintain HIPAA compliance.
What is a HIPAA violation?
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to simplify health care administration, prevent fraud, and protect patients’ private medical information.
The US Department of Health and Human Services (HHS) issued rules to help organizations meet the requirements of this framework. These rules are defined below.
- Security Rule: Organizations must have physical, technical, and administrative measures to protect health information.
- Privacy Rule: Organizations can’t share a patient’s personal health information without their knowledge or permission.
- Breach Notification Rule: Organizations must notify affected individuals within 60 days of a data breach.
- Omnibus Rule: Organizations must comply with a patient’s request to access or share their medical records.
- Enforcement Rule: Defines how investigations into complaints and violations are made and how fines and penalties are determined when an organization fails to follow the four rules above.
All covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates must comply with HIPAA regulations, including the five rules above.
Failure to comply with any of the provisions of these rules is a HIPAA violation. In practice, a HIPAA violation is as simple as an employee leaving a client’s medical file on their computer screen while they step away for a cup of coffee.
Common HIPAA violations to avoid
Here are some of the most common HIPAA violations and how to avoid them:
1. Looking at health care records without permission or authorization:
Make sure that patient health records are only accessed for treatment, payment, or health care operations purposes.
2. Not performing an organization-wide risk analysis:
Conduct regular HIPAA risk assessments to find where PHI is vulnerable.
3. Failure to address security risks:
Prioritize addressing any risks that are identified during audits.
4. Denying patients access to their health records:
Provide people with access to their medical records upon request and without delay.
5. Failure to enter into a HIPAA-Compliant Business Associate Agreement:
Ensure any third-party vendors with access to PHI also maintain HIPAA compliance.
6. Insufficient ePHI access control measures:
Make sure that authorized individuals are the only people who can access electronic protected health information (ePHI).
7. Failing to use encryption or equivalent security to safeguard ePHI:
Encryption is not mandatory under HIPAA, but equal security measures must protect ePHI.
8. Exceeding the 60-day deadline for breach notifications:
If your organization discovers a data breach, you must notify the affected individuals in writing within 60 days.
9. Unauthorized PHI disclosures:
Patients must authorize any sharing of their PHI.
10. Improperly disposing of PHI:
You must securely and permanently destroy PHI when it’s no longer needed.
11. Downloading PHI onto unauthorized devices:
Employees must only use authorized devices that are connected to the network and secure to access PHI.
12. Sending ePHI to a personal email account:
Make sure that employees are not sending ePHI to their personal email accounts or otherwise removing ePHI from the healthcare facility.
13. Leaving paperwork or devices unattended:
Paperwork and electronic devices containing ePHI must be secured at all times to avoid impermissible disclosures of PHI.
14. Disclosing PHI after the expiry date of an authorization:
If the expiry date of a HIPAA authorization form has passed, you must get a new form to disclose PHI to any individual listed on the original form.
How are violations discovered?
HIPAA violations are often discovered through self-reporting or third-party investigations.
HIPAA-covered organizations conduct internal audits and report any violations they uncover. Employees also self-report HIPAA violations they or their coworkers commit.
The Department of Health and Human Services Office for Civil Rights (OCR) investigates HIPAA complaints. The OCR also conducts periodic audits of HIPAA-covered entities and their business affiliates. When data breaches occur, OCR investigates cases involving 500 or more records.
State attorneys general may also look into complaints about potential violations.
Recommended Reading
Who Enforces HIPAA + How To Make Sure Your Business Is Compliant
Read More
What are the penalties for HIPAA violations?
There are two types of HIPAA violations, civil and criminal. The penalties can include fines, corrective action plans, or even jail time.
The OCR issues penalties for HIPAA violations. These range in severity based on the nature of the offense and the knowledge the offender had of the violation. HIPAA violations can involve one single person’s PHI.
While less common, state attorneys general can also penalize HIPAA-covered entities.
Civil penalties
Civil penalties are usually issued in cases where the offender was unaware they were committing a HIPAA violation.
The penalties range from:
- A minimum $100 fine if an individual was unaware that they were violating HIPAA rules, and maximum of $25,000 per year
- A minimum $1,000 fine if an individual had reasonable cause for their actions and were not “willfully neglectful,” and maximum of $100,000 per year
- A minimum $10,000 fine if an individual acted with willful neglect but worked to fix the issue afterward, and maximum of $250,000 per year
- A minimum $50,000 fine if an individual acted with willful neglect and failed to fix the issue afterward, and maximum of $1.5 million per year
Criminal penalties
Criminal penalties are usually issued in cases where individuals knowingly obtain or use PHI without permission.
Criminal HIPAA violations and penalties fall under three tiers:
- Tier 1: Deliberately obtaining and disclosing PHI without authorization — up to one year in jail and a $50,000 fine
- Tier 2: Obtaining PHI under false pretenses — up to five years in jail and a $100,000 fine
- Tier 3: Obtaining PHI for personal gain or with malicious intent — up to 10 years in jail and a $250,000 fine
5 HIPAA violation examples to learn from
In recent years, there have been several newsworthy examples of HIPAA violations. Even in instances of unintentional HIPAA violations, the consequences can be severe. Here are five disastrous HIPAA violation cases and the lessons we can learn from each.
An insurance company is fined $6.85 million for a data breach
In 2020, the OCR investigated a health insurance provider after hackers obtained the PHI of nearly 10.5 million individuals.
The hackers gained access to the provider’s computer system with a phishing email that installed malware. The malware gave the group access to ePHI, which remained undetected for 9 months.
OCR’s investigation uncovered “systemic noncompliance” with the HIPAA Rules. According to OCR, the organization failed to:
- Conduct a comprehensive and accurate risk analysis to identify threats to the confidentiality, integrity, and availability of ePHI.
- Reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level.
- Implement sufficient hardware, software, and procedures to record and analyze activity related to information systems containing ePHI.
- Prevent unauthorized access to the ePHI of over 10 million individuals.
The OCR fined the company $6.85 million for violating the HIPAA Security Rule. The company also settled a multi-state lawsuit for $10 million and a class action lawsuit for $74 million.
Lessons to learn:
- Conduct thorough risk assessments on a regular basis.
- Use encryption or similar security measures to protect private health data.
An imaging company violates multiple HIPAA rules
In 2018, the FBI discovered that one of the servers of a Tennessee-based medical imaging services company was accessible on the internet. Anyone could access and view the PHI of over 300,000 individuals with a simple search.
The company did not notify the affected individuals until 147 days after the discovery.
Due to violation of Breach Notification Rules, the company was ordered to pay $3 million in penalties and adopt a corrective action plan.
Lessons to learn:
- Notify affected individuals within 60 days of data breach discoveries.
- Organizations are responsible for their vendors (like a server host) also upholding HIPAA compliance standards.
A city fails to implement HIPAA privacy policies
In 2017, a city reported a data breach after a terminated employee used their login credentials to access a work computer and copy ePHI data onto a USB drive.
OCR determined that the city had failed to protect HIPAA privacy in several ways. The city had not deactivated the former employee’s login credentials at the time of their termination. Employees also were not given unique login credentials to identify their system activity and interactions with ePHI.
The organization also failed to perform a risk assessment to identify the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
As a result of these failures, the city paid over $200,000 in financial penalties and agreed to a corrective action plan.
Lessons to learn:
- Maintain tight controls over who can access sensitive information.
- Conduct comprehensive risk analyses.
- Issue unique IDs to monitor ePHI activity.
A health system discloses PHI in a press release
In 2015, a health system issued a press release in response to a police incident involving a patient. In the press release, the hospital system included the patient’s name.
The OCR determined this was an intentional failure to protect the patient’s rights to privacy. As a result, the OCR ordered the health system to pay a $2.4 million fine.
Lessons to learn:
- PHI cannot be disclosed without patient authorization.
- The penalties can be astronomical for a single non-compliance incident.
A health system commits multiple HIPAA violations for years
In 2015, the OCR opened an investigation into a nonprofit academic health system after a reporter shared a photograph on social media that included a patient's medical information.
The investigation uncovered multiple HIPAA violations over several years, including:
- An employee accessed and sold more than 24,000 patients’ records.
- The health system failed to provide timely breach notification to OCR – a requirement under HIPAA – and to restrict employees' access to patient data.
- The health system reported that it had lost paper records of over 750 patients in 2012 but did not report the total affected patients until 2016.
The OCR fined the hospital system $2.15 million for its failure to detect the theft and sale of patient records, failure to notify OCR of lost patient records, and failure to protect PHI that was leaked to the media.
Lessons to learn:
- Properly secure PHI to protect data leaks.
- Maintain systems to ensure PHI is only accessed by authorized employees for appropriate purposes.
- When data breaches occur, notify the OCR and affected individuals as soon as possible.
Get industry insights, news & more in your inbox
Secureframe Insights is our monthly newsletter covering the latest cybersecurity and compliance news, insights, and events — from changing regulations to compliance checklists and more.
Join thousands of subscribers in getting these expert insights delivered straight to your inbox.
How to avoid HIPAA violations
HIPAA violations are often due to carelessness or ignorance of HIPAA laws. Employers can avoid a lot of potential headaches by providing adequate HIPAA training for their employees.
For any employees who handle PHI, a few other simple ways to avoid HIPAA violations include:
- Never share passwords or login credentials
- Never leave portable devices unattended
- Never send SMS text messages containing PHI
- Don’t throw out PHI in the trash
- Don’t share ePHI on social media
- Don’t access patient records without a valid purpose
- Don’t take medical records with you when changing jobs
- Report potential HIPAA infractions
How to simplify HIPAA compliance with Secureframe
HIPAA non-compliance isn’t an option for organizations that handle protected health information. Still, it’s not easy keeping up with evolving technology and regulatory changes.
Secureframe makes it quick and easy to achieve HIPAA compliance by simplifying the process into a few key steps.
With one platform you can make sure you’re not subject to HIPAA violation by:
- Creating HIPAA privacy and security policies
- Training employees on HIPAA requirements and best practices
- Keeping track of vendors with access to PHI
- Ensuring your business associates protect PHI
- Elevating and monitoring your HIPAA safeguards
Secureframe will enable you to focus on growing your business. Get in touch to learn how you can automate your HIPAA compliance today.
FAQs
What are the types of HIPAA violations?
There are two types of HIPAA violations: civil and criminal. Civil penalties are usually issued in cases where the offender was unaware they were committing a HIPAA violation and can included fines and corrective action plans. Criminal penalties are usually issued in cases where individuals knowingly obtain or use PHI without permission and can include fines, corrective action plans, and jail time.
What qualifies as a HIPAA violation?
Failure to comply with any provisions of the HIPAA Security, Privacy, Breach Notification, Enforcement, or Omnibus Rule qualifies as a HIPAA violation. All of the following qualifies as a HIPAA violation:
- any unauthorized access, use, or disclosure of PHI
- failure to provide patients with access to their PHI
- lacking safeguards to protect PHI
- failure to conduct regular risk assessments
- providing insufficient training to employees on HIPAA rules
It's important to understand that certain actions can qualify as HIPAA violations, even if no patient harm occurs. For example, if an employee left a client’s medical file on their computer screen while stepping away for a cup of coffee, that would qualify as a HIPAA violation.
How do HIPAA violations affect patients?
That depends on the violation. If a HIPAA violation results in the exposure of millions of PHI records, this could significantly affect patients. They may lose trust in your healthcare facility and go elsewhere, or they may experience identity theft as a result of the data exposure.
How can you tell if an organization is in violation of HIPAA?
Your compliance strategy should start with a thorough self-audit. This will help you identify any areas where your organization could be vulnerable to HIPAA non-compliance.
Failing to address any issues you discover is a HIPAA violation. Your next step should be putting together a comprehensive remediation plan. This plan should be documented and include a timeline for addressing compliance gaps.
Is encryption mandatory under HIPAA?
Encryption is not mandatory, but organizations that do not implement encryption must document the reasons why. One reason may be that they’ve implemented another security measure that’s equally as effective at protecting ePHI when being stored and transmitted.
What are the penalties for violating HIPAA?
The penalties for violating HIPAA can vary significantly depending on factors such as the nature of the violation, whether the covered entity or business associate knew or should have known about the violation, and whether the violation was due to willful neglect. HIPAA penalties are divided into different tiers, reflecting the severity and nature of the violation:
Tier 1: Unawareness
The covered entity or business associate was unaware of the violation and could not have realistically avoided it with a reasonable amount of care.
Penalty range: $100 to $50,000 per violation, with an annual maximum of $1.5 million for identical violations.
Tier 2: Reasonable Cause
The violation had a reasonable cause and was not due to willful neglect. This means the entity knew or by exercising reasonable diligence would have known that the act or omission was a violation, but the entity did not act with willful neglect.
Penalty range: $1,000 to $50,000 per violation, with an annual maximum of $1.5 million for identical violations.
Tier 3: Willful Neglect-Corrected
The violation was due to willful neglect, but the entity corrected the violation within the required time period (generally 30 days from when the entity knew or should have known about the violation).
Penalty range: $10,000 to $50,000 per violation, with an annual maximum of $1.5 million for identical violations.
Tier 4: Willful Neglect-Not Corrected
The violation was due to willful neglect and was not corrected in a timely manner.
Penalty: $50,000 per violation, with an annual maximum of $1.5 million for identical violations.
In addition to these civil monetary penalties, criminal penalties can also be imposed for certain offenses, such as obtaining or disclosing PHI knowingly and in violation of the rules, or under false pretenses. Criminal penalties can range from fines up to $250,000 and imprisonment for up to ten years, depending on the severity of the wrongdoing.
It's also important to note that these penalties are per violation, and multiple violations can lead to substantial cumulative penalties. Entities found in violation of HIPAA may also be required to undertake corrective actions to remedy the violations, which can include implementing new policies and procedures, staff training, and making significant changes to their operations and IT infrastructure.
