Most Common HIPAA Violations

April 20, 2018

The Health Insurance Portability and Accountability Act (HIPAA) was created in 1996 in an attempt to make the administration of healthcare simpler, eliminate careless use of information, prevent healthcare related fraud, and make sure that when an employee is in between jobs, healthcare coverage is not interrupted. There are hundreds of provisions in the Act, which is understandably overwhelming for someone who needs to wade through and make sense of them.

Unfortunately, there are many ways to violate one or more of the 115 pages worth of rules in the Act. However, according to HIPAA Journal, there are a few that show up regularly. Therefore, it’s worthwhile to know what at least some of those most common ones, in no particular order, are:

  • Failing to document compliance efforts
  • Theft of patient records
  • Failing to notify someone of a security incident that involved personal health information (PHI) within 60 days of discovery of a breach
  • Mishandling PHI, including texting it or sharing it online, including via social media
  • Failing to encrypt PHI or use some measure to protect unauthorized access or disclosure
  • Failing to train employees or provide awareness training on HIPAA rules
  • Failing to conduct a risk analysis
  • Improper disposal of PHI or unauthorized access to PHI
  • Failing to enter into an agreement that is HIPAA compliant with business associates or third parties before providing access to the information to those vendors
  • Failing to terminate access to data when that access is no longer required
  • Failure to maintain and monitor logs that list PHI access
  • Unauthorized access of PHI

When using the term PHI, it should be assumed to also include electronic PHI, or ePHI. And there are many, many more rules than the above to review and decipher. The bottom line is that it’s an organization’s people who hold responsibility to review them, interpret, understand to the best of their ability, and comply or face serious consequences for not protecting the patients’ privacy. Often, this means making sure it is as "hacker-proof" as possible. And perhaps more importantly, it should include a comprehensive and continual awareness training program that keeps them updated the latest threats and how to respond to them.

The penalties for violation of HIPAA rules can be significant and can come from states attorneys general as well as the Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR is the primary enforcer and investigator of HIPAA complaints and violations. State attorneys general can also investigate breaches. Fines issued by states attorneys general can be up to $25,000 per violation, per calendar year. The OCR has more leeway and can fine up to $1.5 million per violation category per year. Multi-million dollar fines can and have been issued in some circumstances. The largest one so far ties at the amount of $5,500,000. One was issued in 2016 to the Advocate Health Care Network and another in 2017 to Memorial Healthcare System.